Method and system for privatizing computer data

ABSTRACT

A system and method for privatizing computer data comprises the steps of opening a plurality of original data files, fragmenting said original data files into fragments, and interspersing said fragments among each other forming composite files (privacy protected files). The method then comprises the steps of creating a reconstitution file, which identifies hidden dispersion locations and placement of individual fragments to reconstruct the original data files. Finally, the composite files are dispersed to hidden locations. To enhance security, each fragment may be disguised through a multiplicity of high speed mathematical operations, which are directed by a fragment handling guide drawn from a random table, before interspersing fragments in the composite files.

[0001] This invention claims priority from a Provisional Applicationhaving file No. 60/238,604, which was filed on Oct. 6, 2000. TheProvisional application is incorporated herein by reference.

[0002] A microfiche appendix is included with this patent application.

[0003] A portion of the disclosure of this patent document containsmaterial which is subject to copyright protection. The copyright ownerhas no objection to the facsimile reproduction by any one of the patentdisclosure, as it appears in the Patent and Trademark Office patentfiles or records, but otherwise reserves all copyright rightswhatsoever.

BACKGROUND OF THE INVENTION

[0004] Keeping data private and secret from unauthorized persons isdesirable to everyone. People do not want their personal informationsuch as credit card numbers, medical records, or financial documentsdisseminated without their permission. Businesses often require thatonly authorized personnel view or have access to various documents andinformation. Even the government, including the Federal Bureau ofInvestigation and the Central Intelligence Agency, has high demand forkeeping government matters secret and private, especially matters ofnational security. In today's technologically advanced society, it isbecoming easier for a computer hacker to obtain access to secret filesof the unwary data owner.

[0005] Currently, to prevent unauthorized access to data being stored ona hard drive of a computer or to send data over the Internet, encryptionis used to scramble the message. There are numerous ways to encryptplaintext. Some encryption techniques use one private access key forencryption and decryption. The private access key manipulates plaintextinto ciphertext and vice versa. This is often referred to as a“symmetric algorithm.” Because the same key is used for encryption anddecryption, security and protection of the plaintext is directly relatedto the private key owner's ability to keep the private key hidden orsecret from unauthorized users.

[0006] Another method of encryption uses a public key to encryptplaintext into ciphertext and a private key to decrypt the ciphertextinto a readable message. This technique is referred to as an asymmetricalgorithm. Because the encryption key can be released into the publicdomain, no harm is done unless the private key is discovered to decryptthe ciphertext.

[0007] Regardless of what technique is used, in traditional encryptionone basic premise is retained: one file equals one message. Traditionalencryption methods have many problems, including lack of efficiency,reliability and simplicity of use. To completely privatize computerdata, a system and method are needed that break out of the conventionalencryption wisdom that one file equals one message. Nothing in the artsuggests or teaches a method to easily privatize data in such a way thatthe user(s) is not even aware of the high level of security beingprovided. Accordingly, what is needed in the art is a system and methodfor privatizing computer data wherein data files are fragmented,randomly interspersed with other fragments from other files to formcomposite files and then randomly dispersed to hidden locations over theInternet, a hard drive of a stand-alone personal computer and/or othermedia, such that only authorized users have access to such data.

SUMMARY OF THE INVENTION

[0008] A system and method for privatizing computer data comprises thesteps of opening a plurality of original data files, fragmenting saidoriginal data files into fragments, and interspersing said fragmentsamong each other forming composite files, which together with an indexfile comprise a privacy protected archive. The method then comprises thesteps of creating a reconstitution file, which identifies hiddendispersion locations and placement of individual fragments toreconstruct the original data files. Finally, the composite files may bedispersed to the hidden locations. To enhance security, each fragment isdisguised through an exclusive OR operation and other mathematicaloperations, with the disguising directed by a fragment handling guidedrawn from a random table, before interspersing fragments within thecomposite files.

[0009] Accordingly, it is an objective of the present invention toprovide a system and method for privatizing computer data, whichprovides substantially complete security from unauthorized persons,without resorting to strong encryption techniques.

[0010] Further, it is another object of the present invention to providea system and method for privatizing computer data, which providesfreedom from data mining.

[0011] Another objective of the present invention is to provide a systemand method for privatizing computer data by dispersing files to hiddenlocations on the Internet and/or other media.

[0012] Further, another objective of the present invention is to providea system and method for privatizing computer data wherein onlyauthorized users on authorized computers can open a reconstitution fileto obtain access to the computer data.

[0013] Still yet, another objective of the present invention is toprovide a system and method for privatizing computer files, which servesas an encryption enhancer in that the method can be used on files thatare already encrypted.

[0014] Another objective of the present invention is to provide a systemand method for privatizing computer files, which uses cascadingfragmentation.

[0015] Further, another objective of the present invention is to providea system and method for privatizing computer files which protects fromfile loss through automated redundancy.

[0016] Another objective of the present invention is to provide a systemand method for privatizing computer files wherein data restoration istightly controlled and the fragmentation process is precisely reversedin order to reconstitute data.

[0017] Still, another objective of the present invention is to provide asystem and method for privatizing computer files wherein computer filescan be automatically restored to the original directory locations.

[0018] Another objective of the present invention is to provide a methodfor privatizing computer files wherein an older version does notoverwrite a newer copy unless specifically requested.

[0019] Still yet, another objective of the present invention is toprovide a computer readable medium containing instruction forcontrolling a computer system to perform a method, where the methodcomprises the steps of providing a plurality of original data files,providing a plurality of fragment storage structures, providing aplurality of composite files, providing at least two locations forstoring the plurality of composite files, fragmenting the original datafiles into fragments, reading each of the fragments from the pluralityof original data files, writing each of the fragments into one of theplurality of fragment storage structures, forming interspersedfragments, filling the fragment storage structures with fragments, andwriting the interspersed fragments to the composite files.

[0020] Another objective of the present invention is to provide a methodfor privatizing computer files that is economical in price and light inits demands on computer resources.

BRIEF DESCRIPTION OF DRAWINGS

[0021] The Figures listed below have been selected to illustrate apreferred embodiment of the present invention. These Figures along withthe accompanying description and the appended source code of coreprocesses are sufficient for those skilled in the art to practice theinvention as claimed. Note that all entities and actions within thedrawings are designated by four digit numbers. In all cases, the firsttwo digits are the Figure number in which the action or entity isintroduced. Hence each entity or action discussed in this document canbe related directly to a specific drawing. In turn, all drawings exceptthe first relate back to a previously discussed action or entity. AllFigures, and all boxes within each Figure, are discussed in numericorder below.

[0022] The invention may take physical form in certain parts andarrangement of parts, a preferred embodiment of which will be describedin detail in this specification and illustrated in the accompanyingdrawings which form a part hereof and herein:

[0023]FIG. 01 is a diagram providing an overview of a program thatincorporates the system and method, together with five supportprocedures. Reference is made to extensions to the method not currentlyimplemented within the program;

[0024]FIG. 02 is a flow chart showing all inputs, all outputs, and theinterim objects involved in conjunction with the processes that togethercomprise the system and method 0110 to privatize computer data;

[0025]FIG. 03 is a diagram of the first group of user control selections0210 which are required inputs for the system and method 0110;

[0026]FIG. 04 is a diagram of a second group of user control selections0210 which are required inputs for the system and method 0110;

[0027]FIG. 05 is a diagram of a third group of user control selections0210 which are required inputs for the system and method 0110;

[0028]FIG. 06 is a diagram of a subsidiary user control selection 0210,whose presence speeds the listing of files in FIG. 05 which the user mayselect as candidates for privatizing through the system and method 0110;

[0029]FIG. 07 is a diagram showing aspects of original data files 0220;

[0030]FIG. 08 is a diagram showing aspects of random tables 0230, whichserve as a “catalytic” input (they enhance, but are not changed) in thesystem and method 0110;

[0031]FIG. 09 is a diagram showing aspects of the remainingprerequisites 0240 to the system and method 0110;

[0032]FIG. 10 is a diagram showing aspects of composite files 0250, theprimary output of the system and method 0110;

[0033]FIG. 11 is a diagram showing aspects of the index file 0260, asupport output of the system and method 0110;

[0034]FIG. 12 is a diagram showing aspects of the one or morereconstitution files 0270, relatively small outputs of the system andmethod 0110 whose absence and/or security features preclude the abilityof an unauthorized party to retrieve the original data files 0220;

[0035]FIG. 13 is a sequentially ordered diagram of the elementscomprising the header 1250 of a reconstitution file 0270 output by thesystem and method 0110;

[0036]FIG. 14 is a sequentially ordered diagram of the elementscomprising the body 1260 of a reconstitution file 0270 output by thesystem and method 0110;

[0037]FIG. 15 is a diagram setting out the various building blocks,which are assembled to create the reconstitution plan 1270 within areconstitution file 0270 output by the system and method 0110;

[0038]FIG. 16 is a diagram showing aspects of intermediate objects 0280which are used in the system and method 0110 to convert the inputs 0210,0220, 0230, and 0240 into the outputs 0250, 0260, and 0270.

[0039]FIG. 17 is a flow chart setting out the processing steps 0290 toprivatize data;

[0040]FIG. 18 is a flow chart expansion of the privatizing processingstep, “fragment original data files” 1740;

[0041]FIG. 19 is a flow chart expansion of the fragmenting step, “resetand check input data status” 1810;

[0042]FIG. 20 is a flow chart expansion of the fragmenting step,“finalize a fragment heap” 1870;

[0043]FIG. 21 is a flow chart expansion of the privatizing processingstep, “build a reconstitution file” 1770;

[0044]FIG. 22 is a flow chart of the steps required of a person wishingto gain access in the support procedure to share access 0120 to aprivacy protected archive 0261;

[0045]FIG. 23 is a flow chart of the first of two sets of inputsrequired of a person wishing to distribute authorization to others inthe support procedure to share access 0120 to a privacy protectedarchive 0261;

[0046]FIG. 24 is a flow chart of the second of two sets of inputsrequired of a person wishing to distribute authorization to others,together with underlying processing, in the support procedure to shareaccess 0120 to a privacy protected archive 0261;

[0047]FIG. 25 is a flow chart of the steps required in the supportprocedure to validate 0130 a privacy protected archive 0261;

[0048]FIG. 26 is a flow chart of the steps required in the supportprocedure to delete 0140 a privacy protected archive 0261;

[0049]FIG. 27 is a flow chart of the steps required in the supportprocedure to plan Internet-based locations 0150 for privacy protectedarchives 0261;

[0050]FIG. 28 is a flow chart of the first of three sets of inputsrequired in the support procedure to reconstitute data 0160 that hasbeen previously privatized 0110;

[0051]FIG. 29 is a flow chart of the second of three sets of inputsrequired in the support procedure to reconstitute data 0160 that hasbeen previously privatized 0110;

[0052]FIG. 30 is a flow chart of the last of three sets of inputs andsteps required in the support procedure to reconstitute data 0160 thathas been previously privatized 0110;

[0053]FIG. 31 is a diagram showing a series of extensions 0170 to thesystem and method to privatize data 0110; and

[0054]FIG. 32 is a table in numeric order of all entities and actionsreferenced in FIGS. 01 through 31 and in this document.

PREFERRED EMBODIMENT

[0055] In order to facilitate the efforts of a person of ordinary skillin the art to implement this system and method, a functional set of C++language source code functions is included in a microfiche appendix tothis patent application. Two files in the appendix are especially to thepoint. A set of implementation notes and the main( ) function appear ina file “PryvitDL.cpp”. At the end of the appendix, the header file“PryvitDL.h” contains comments on a wide range of variables that areaccessible through an “access class” and a “#include PryvitDL.h”statement in each of the other functions. Variable names shown in thispatent application are quoted from “PryvitDL.h”. Memory management issimplified in the C++ version through declaring maximum quantity andsize of most variables; the cost is a globally accessed “access class”of under three megabytes, which presents no challenge to modern personalcomputers.

[0056] The instant invention fulfills the strong need in the art forproviding the highest levels of security and privacy to computer data.Computer data files are fragmented and then fragments are individuallymanipulated to make each fragment unrecognizable. The fragments frommultiple files are randomly mixed together and further disguised to formcomposite files. Disguising techniques are performed without anydetectable pattern. The composite files are then sent to a plurality ofhidden locations, such as the Internet, local area networks, a harddrive of a stand-alone computer, a tape, a disk, a smart card or otherstorage media. All the composite files together with one index file(listing of file names, directories, sizes, dates), wherever they arelocated, comprise a privacy protected archive. A compact reconstitutionfile is prepared for the archive; it contains among other things ahighly compressed step-by-step plan to retrieve the original data filesfrom the privacy protected archive.

[0057] The Internet appears very public, yet it is an excellent hidingplace for composite files located under obscure directory andsubdirectory names. For persons to access the secured data, they wouldneed to find the location of every composite file, identify and separateout the many fragments, undo the fragment disguises, and then place thefragments in the correct order. Because the number of possible hiddenlocations is nearly infinite, it would be almost impossible for anunauthorized user to gain access to the privatized data without thereconstitution file. Only those with authorization can access theprivate computer data. Further, the private data can be accessed fromanywhere in the world by authorized persons who have the properreconstitution file.

[0058]FIG. 01 is a diagram providing an overview of a program thatincorporates the system and method to privatize computer data 0110,together with five support procedures. The system and method 0110 isdetailed in FIGS. 02 through 21. However, it cannot stand alone;privatized data that can never be recovered amounts to the proverbial“write-only memory”—an interesting abstraction, but of no practicalvalue. Therefore, FIG. 01 introduces supporting procedures 0120 to 0160(see FIGS. 22 to 30), which are essential to make an implementationviable. Lastly, FIG. 01 touches on extensions 0170 to the system andmethod; these extensions are listed in FIG. 31. The essence of thetechniques of randomly fragmenting data to ensure privacy can find broadapplication and contribute to enhanced handling of privacy-relatedissues on the Internet, in operating systems, etc. as well as inindividual and corporate use of computers.

[0059]FIG. 02 is a diagram providing an overview of the system andmethod 0110, broken into components to facilitate learning by a personof ordinary skill in the art. It is a standard practice in informationtechnology to determine what are the desired outputs from a system andthe required inputs, then to establish the processing structures, andthe intervening procedures/steps/algorithms required to create thoseoutputs.

[0060] Hence FIG. 02 refers first to four inputs. User controlselections 0210 are required as input to the system and method 0110 eachtime that the user wishes to privatize a set of original data files0220; these user control selections 0210 are detailed in FIGS. 03through 06. The second input is a set (one or a multiplicity) oforiginal data files 0220 which are deemed vulnerable to data mining andother abuses; aspects of original data files 0220 are detailed in FIG.07. The third input to the system and method 0110 is a set of randomtables 0230; see FIG. 08. Other prerequisite inputs 0240 are set forthin FIG. 09.

[0061]FIG. 02 next introduces three outputs from the system and methodto privatize data 0110. Composite files 0250 are introduced in FIG. 10.The one index file 0260 is analyzed in FIG. 11. The reconstitution fileor files 0270 are examined in increasing detail in FIGS. 12 through 15.Note in passing that two outputs together (from 2 to 120 composite files0250, together with one index file 0260) comprise a privacy protectedarchive 0261. One privacy protected archive 0261 is created each timethe system and method to privatize computer data is run.

[0062]FIG. 02 turns then to how the inputs are transformed into theoutputs. Interim objects 0280 are detailed in FIG. 16. The steps inprocessing 0290 to privatize computer data are expanded in FIGS. 17 to21.

[0063]FIGS. 03 through 06 treat a broad category of inputs, user'scontrol selections 0210. A person wishing to privatize a selection oforiginal data files 0220, whether consciously or not, must set a rangeof specifications related to items 0310 through 0630 below. While thelist is lengthy, the demands on the user can be reduced by presentingdefault values, which the user may either accept or amend. A graphicaluser interface (GUI) is ideal for this purpose.

[0064]FIG. 03 shows a working user interface in the form of an “optionsdialog” through which the user specifies six items.

[0065] The location of the directory 0310 containing random tables 0230must be available to the computer program 0930. A minimum of one andpreferably eight or more random tables 0230 should be present on thehard disk. They need be present in one copy each, together in one knowndirectory or subdirectory location 0310.

[0066] If the user enters no name for the first reconstitution file0320, a meaningless name 0451 will be used for the first (and usuallyonly) reconstitution file 0270. Often, the user will prefer to specify aname that reminds him/her specifically of the privacy protected archive0261 with which the reconstitution file 0270 is associated. Thesuggested suffix for the name of reconstitution files is “.REC”, butthis is not required.

[0067] A password 0330 is embedded in each reconstitution file 0270 inorder to prevent an unauthorized person (for example, a thief who haspurloined a laptop computer) from running the procedure 0160 toreconstitute privatized data. Where multiple pass cascadingfragmentation 0362 has been used, each reconstitution file in the set(one per cascade) carries the same password 0330 in order to automate,expedite, and simplify the reconstitution process 0160. Blank passwordsare permitted, and may be appropriate provided the implementation of thesystem and method incorporates a computer-specific identifier system andthe risk of mischief from malevolent hackers is moderate or low.

[0068] The user is provided an automatic deletion option 0340 fororiginal data files 0220. Privatizing these files and then leaving themin their original form on the hard disk leaves them open to prying eyes,surreptitious data mining, etc. However, the user may wish to back uporiginal data files 0220 prior to deletion. This yes/no toggle option0340 gives the user control.

[0069] Level of security 0350 is a choice between two levels of privacyprotection, one the routine “private” level and the other level forcases in which there is heightened concern over possible intent by otherpersons and/or the specially high value of the original data files 0220to be protected.

[0070] If the “high security” option is selected as the level ofsecurity 0350, an additional drop down box appears in the dialog. Countof cascades 0360 (explained in the following two paragraphs) may rangefrom 2 to 7 under high security; the count of cascades 0360 is one ifthe merely “private” security option 0350 is selected.

[0071] Single pass fragmentation 0361 is applied automatically if theuser selects the routine level of security 0350. In this case, theoriginal data files 0220 selected as input by the user are subjected tothe process to privatize data 0290 (detail in FIGS. 17 to 21) once only,and the outputs 0250, 0260, and 0270 on this single pass constitute thefinal result. Single pass fragmentation 0361 is equivalent to a singlecascade in contrast to multiple pass cascading fragmentation 0362 in thenext paragraph.

[0072] Multiple pass cascading fragmentation 0362 is applied if the userselects the heightened security option. In this case, the user is askedto specify a number of cascades 0360, ranging from two to seven.Cascading fragmentation 0362 provides ultra high privacy because thecontent from the original data files 0220 is rearranged and fragmentedrepeatedly. After each fragmentation run, step 1740, the resultingcomposite files 0250 are gathered and used as input for another run offragmenting 1740. A useful metaphor is to liken this repetitive processto blowing up a building, sweeping up the rubble, blowing that up,gathering the now-much-finer rubble, exploding that, and so forth for upto seven iterations. The difference from the building explosion metaphoris that the original data files 0220 can be reconstituted quickly,provided only that the last set in its entirety of composite files 0250,an extended final index file 0260, and one reconstitution file 0270 foreach iteration (or cascade) are available to the authorized computer anduser. Security is eminently higher, because a person who is deniedaccess to even one element of the outputs listed above is utterlyincapable (with intensive reverse engineering or even complete sourcecode for the system and method) to retrieve the original data files0220. For example, if even one of the reconstitution files 0270 isunobtainable, unauthorized users have no hope of making sense of outputs0250 that may come into their hands.

[0073] Returning to FIG. 03, the user who wishes even greater securityis always free to perform multiple single pass iterations 0361, manuallysetting output from one session as input for the next, with differentpasswords 0330 for each, for as many iterations/cascades 0360 asdesired—well beyond the automated maximum of seven.

[0074]FIG. 04 is a diagram of a second group of user control selections0210 which are required inputs for the system and method 0110. Theillustrated locations dialog in FIG. 04 invites either input orconfirmation from the user on six elements of data.

[0075] The dispersion count 0410 is selected by the user. The higher thedispersion count 0410, the more widely the fragments 1620 are dispersedand the more difficult it would be for a malevolent person to access allthe parts of a privacy protected archive 0261 and to decipher theircontent. Values for the dispersion count 0410 may range from 2 to 16; adefault of 3 is often appropriate. The dispersion count 0410 is used intwo ways. Fragments 1620 are dispersed across a minimum of two and amaximum of 16 fragment heaps 1651; hence the expression “dispersioncount”. These fragment heaps 1651 are padded as necessary to createcomposite segments 1652, camouflaged, and written to composite files0250, which in turn may be optionally dispersed in unique sets to“dispersion count” Internet locations. It will be shown later that thenumber of unique composite files 0250 produced is always an exactmultiple of the dispersion count 0410.

[0076] The user must specify a working directory 0420, a location on thehard drive or on a local area network to which all copies of outputfiles 0250, 0260, and 0270 may be written. While the system and method0110 provides for optional dispersion of composite files 0250 and theindex file 0260 to the Internet, it is always the case that the outputs0250, 0260, and 0270 are placed together in one directory on the user'scomputer 0920. The rationale of a single working directory 0420 is thatit permits backup prior to optional erasure of the hard disk copy. Inaddition, it provides essential working storage for interim compositefiles 0250 that may be used as inputs in lieu of original data files0220 in successive cascades, should the user desire the benefits ofmultiple pass cascading fragmentation 0362.

[0077] Redundancy count 0430 is an option in which the user may specifythat zero, one, two, or three copies of each composite file are to beautomatically dispersed to Internet locations 0440. Redundancy 0430 ismeasured in addition to the single copy of each output placed in theworking directory 0420 of the user's hard disk. Only one copy of eachcomposite file 0250 needs to be present for the process ofreconstituting privatized data 0160, even if several copies wereoriginally created and distributed under the redundancy 0430 option.Occasionally, Internet servers are temporarily out of service. If acomposite file 0250 or index file 0260 is hidden on an out-of-serviceserver, it is not retrievable from that location 0440. Using redundancy0430, each file comprising the privacy protected archive 0261 is sent tomultiple hidden dispersion locations 0440 to minimize the risk ofencountering a down server. During the reconstituting process 0160, thesearch is terminated for any one copy of a composite file 0250 or theindex file 0260 when the first copy of it is found.

[0078] Target Internet dispersion locations 0440 are required wheneverthe redundancy is greater than zero. To be precise, dispersion count0410 (value 2 to 16) multiplied by redundancy count 0430 (value 0 to 3)target Internet locations 0440 are needed. The count of Internetdispersion locations 0440 may range from zero (0 times any value 2 to16) to 48 (3 copies for each of 16 sets). However, counts above 12 wouldbe unusual. Among the supporting procedures is planning the dispersionof privatized data 0150 (see detail in FIG. 27), in which the user mayset up and manage an extended list 0915 from which Internet locationsdata 0440 are drawn. In each session of creating a privacy protectedarchive 0261, the user may select 2 to 16 (i.e., the dispersion count0410) times 0, 1, 2, or 3 (i.e., the redundancy count 0430) specificInternet dispersion locations 0440 to which copies of composite files0250 and the index file 0260 will be sent. In the preferred embodiment,the user sets both the dispersion count 0410 and the intended redundancy0430, and the program automatically selects random Internet dispersionlocations 0440 from the “ILocate.dat” file 0915. The user may overridethese random selections if desired. Usually he or she will not overridethem, since the actual targets in any one instance do not really matter,provided they are locations to which the user has access. It is usuallysufficient to know that the material has been dispersed as broadly asdesired (dispersion count 0410) with adequate redundancy 0430.

[0079] A prefix for output file names 0450 may be specified. This tacticpermits the user to override the first one, two, or three characters ofall output file names associated with the privacy protected archive0261, making them consistent across that archive. In this way the usermay distinguish among files from different archives. The advantage ofsuch an override is that the probability of two files from differentarchives 0261 having exactly the same name (and one overwriting theother) is reduced from one chance in 341,172 to zero chance. The firstcharacter in a prefix 0450 must be a letter. The second and third may bea letter or a numeric digit in the range 2 to 7.

[0080] A major characteristic of output file names 0451 ismeaninglessness. The actual names are normally immaterial to anauthorized person who wishes to reconstitute original data files 0220;management of file names is totally taken care of through thereconstitution file 0270. During the fragmentation process 1740, theprogram creates a scramble of letters and digits (for example D8GU9WBB)for each output file—the one index file 0260, up to 120 composite files0250, and up to seven reconstitution files 0270. This is donespecifically to minimize clues and patterns that might benefit amalevolent person trying to break the privacy. These names consist ofeight characters (the first a letter, the second through eighth a letteror a digit 2 . . . 7), with a suffix .PVT for the index file 0260 andcomposite files 0250, and suffix .REC for the reconstitution files 0270.The 128 names are each unique in the five characters combinations makingup the fourth through eighth character.

[0081] Names for seven output reconstitution files 0452 are as per thediscussion of names for output files 0451, with the one exception thatthe user has the opportunity to stipulate a meaningful name for thefirst reconstitution file 0320.

[0082]FIG. 05 introduces the “select files” dialog. The primary controlselection 0210 in the mind of the user is likely to be creation of theselection list 0520 of original data files 0220. The ability to selectmultiple files at a time for input is a common feature of graphical userinterfaces.

[0083] The “select files” dialog offers five selection buttons 0510.

[0084] Button 0511, “select files from another drive”, is an artificethat substantially speeds up display of directory locations 0530 andoriginal data file names 0540. The Windows version of the computerprogram 0930 starts with one hard disk drive only in the directorylocations area 0530. This saves time the program would otherwise usehaving to cycle through all available drives; such cycling carries apenalty of several seconds for each removable media drive that iscurrently empty. The “select files from another drive” button 0511provides flexibility, should the user wish to access other drives.

[0085] Button 0512 “add selected folders and subfolders to list” andbutton 0513 “remove selected folders and subfolders from list” bothrequire that a folder be highlighted by the user in the directorylocation area 0530, found in the lower left panel in the screen image inFIG. 05. Button 0512 adds all files in the highlighted folder and itssubfolders to the current selection list of data files 0520. Button 0513removes them from the list.

[0086] Button 0514 “add selected files to list” and button 0515 “removeselected files from list” both require that one or more files behighlighted by the user in the original data file name area 0540, foundin the lower right panel in the screen image in FIG. 05. Button 0514adds the files to the current selection list of data files 0520. Button0515 removes them from the list.

[0087] The current selection list of data files 0520 starts empty. Filesare moved into and out of the list using a combination of the fiveselection buttons 0510 and highlighting of folders and files in the twolists. The objective is to specify all the original data files 0220 thatare to be made private by the system and method 0110 in one privacyprotected archive 0261. The current selection list 0520 must contain atleast one file for the system and method to work; the list may containliterally thousands of files.

[0088] Directory locations 0530 are displayed in the lower left panel.Any section may be expanded by clicking on a plus sign to the left; itmay be contracted by clicking on a minus sign to the left. The directorylocations 0530 of selected files 0520 will be preserved in the indexfile 0260, so that files may be restored to the same place on the samedrive, or within an identical framework on another drive in theprocedure to reconstitute data 0160.

[0089] Original data file names 0540 are displayed in the lower rightpanel whenever a directory in the directory locations 0530 panel isdouble clicked. The names 0540 of selected files 0520 will be preservedin the index file 0260, so that files may be restored with the identicalnames in the procedure to reconstitute data 0160.

[0090] A privatize flag 0550 (in the form of four asterisks in thescreen image) to the right of a name in the file name list 0540indicates that the file is currently in the selection list 0520.

[0091] Sizes 0560 of all files are listed in bytes in the lower rightpanel. This information aids the selection process since time toprivatize files 0110 and time to reconstitute them 0160 are bothfunctions of the total sizes of files placed within the currentselection list 0520. At the same time, there is no technical upper boundto the size of an original data file 0220, beyond that imposed by theoperating system. For example, in a 32 bit implementation, a file of 2to the 32nd power bytes (over 4 billion bytes) can be handled. At theother extreme, the programmer may wish to impose a lower bound oncumulative file size (say 16 bytes) to guard against attempts at reverseengineering.

[0092] Date and time 0570 of all files are shown as an aid to the userin ensuring that selected files are appropriate versions. Date and timeof selected files are incorporated during processing into the index file0260 and used in the reconstitution process 0160 so that retrieved datamay be identical in every respect to the original form.

[0093]FIG. 06 shows a “select alternative drive dialog”, a selectiondevice necessary if the user clicks on the “select files from anotherdrive” button 0511. A drop down box lists the drives available on thecomputer; the user is expected to click on one as a drive 0610 holdingoriginal data files 0220. The OK button 0620 returns the user to the“select files” dialog in FIG. 05. The Cancel button 0630 is handy if theuser selects a removable media drive within which there is currently nomedium (floppy disk, mass storage disk, etc.)

[0094]FIG. 07 is a diagram showing aspects of original data files 0220.

[0095] The first aspect is eligibility 0710 of an original data file0220 for privatizing. In their normal (non-privatized form), originaldata files 0220 are vulnerable to misappropriation, data mining, andother undesired and unintended uses. But this does not apply to allfiles. For example, there is little to be gained in privatizing fileswhich are publicly or broadly available. Neither does it seemappropriate to privatize executable programs, most operating systemfiles, etc. Typically a small subset of what is on the hard disk of acomputer consists of data, which has value to the user or to theorganization that the user represents. In general, only data files thatcontain valued personal or organizational property should be madeprivate.

[0096] Type 0720 is the second aspect. The system and method ofprivatizing computer data treats all files as byte streams; hence anyfile type whatsoever (word processing output, spreadsheet, database,graphic, etc.) may be specified as an original data file 0220, withinany operating system in which the system has been implemented. In thelight of the preceding paragraph, consider all eligible data files as“regular files” 0721. This is in contrast to two other types, whichpresent themselves as interesting possibilities where security is amajor concern. Files already privatized 0722 can be used as input foranother round of privatizing; this forms the basis of cascadedfragmentation 0362. Files already encrypted 0722 can also be used asinput to the system and method 0110. In this sense, the underlyingtechnique of random fragment dispersion elevates the system and methodof privatizing computer data 0110, which is documented here, into anencryption enhancer.

[0097] Count 0730 is also relevant. The number of files being madeprivate in one archive may be any integral quantity without limit.

[0098]FIG. 08 shows another major input to the method. Random tables0230 play several roles in disguising fragments 1620 while makingpossible a very compact rendering of the reconstitution plan 1270 for aprivacy protected archive 0261. Five aspects of random tables 0230 areconsidered in 0810 through 0850.

[0099] The source 0810 of random tables 0230 is normally the Internet.Master copies of random tables 0230 are provided for users by the firmresponsible for commercializing the system and method 0110 ofprivatizing data. In the preferred embodiment, over a hundred randomtables 0230, each unique, are freely posted for download on theInternet. Although the system functions with only one random table 0230present on the hard disk, the user is encouraged to keep a minimum ofeight and preferably more on hand.

[0100] The size 0820 of each and every random table 0230 is precisely65,536 bytes. Sixteen bits (two eight bit bytes) can be used to expressany integer value between 0 and 65,535 (one less than two to the power16). Every possible 16 bit address points to a valid offset within therandom table 0230, and no parts of the random table 0230 are missed by16 bit addressing.

[0101] The name and identifier 0830 of each random table 0230 is derivedfrom a five digit number ranging from 00000 to 65535. In the preferredembodiment, the five digit identifier number is built into the name ofthe random tables 0230 which have names of the form PVT#####.TBL, forexample PVT29876.TBL and PVT09137.TBL. The numeric identifiercorresponds to the binary value in the first two bytes of the 65,536byte random table 0230.

[0102] The content 0840 of a random table 0230 is a highly randomizedstream of bits. The only exception is the first two bytes (16 bits),which form a binary integer in the range zero to 65,535; these two bytesmatch the name and identifier 0830 of that particular random table 0230.In their creation, care is taken that no two random tables 0230 sharelengthy subsets, and that each passes the latest anti-virus check so asnot to create problems for users.

[0103] The count 0850 of random tables 0230 must be at least one andideally is greater than eight.

[0104]FIG. 09 is a diagram showing aspects of three remainingprerequisites 0240 to the system and method 0110.

[0105] The first is Internet locations data 0910 comprising the targets0440 to which composite files 0250 and the index file 0260 may beoptionally dispersed. Each entry consists of four elements. An IP(Internet Protocol) address 0911 may be expressed either as fournumbers, each in the range 0 to 255, separated by periods (example:64.224.160.161) or as a verbal form such as ftp.MyHidingPlace.com.Within this address, files may be hidden in innocuously nameddirectories and/or a hierarchical sequence of subdirectories 0912. Nextcomes the name of a user 0913 authorized to post files by file transferprotocol (FTP) to that location. The fourth element is the password 0914required to place files in that location. In the preferred embodiment,entries with each of these four elements comprise a file named“ILocate.dat” 0915. This file is maintained in the same directory as therandom tables 0230; “ILocate.dat” 0915 is disguised sufficiently toprotect against data mining or casual observation of Internet targetlocations 0910. Lists of Internet locations entries may also appear intemporary text files 0916, provided by Internet Service Providers(ISPs), or Internet Storage Service Providers (ISSPs). Organizationswith Intranets may also create lists to aid their employees in buildingsuitable “ILocate.dat” files 0915. Ideally, all files containingInternet location data should be given a computer-specific disguise, toimpede theft of files and misuse of Internet sites listed therein.

[0106] Note that where the user is content to keep the privacy protectedarchive 0261 on hard disk, Internet locations data (0910 and 0440) isnot an essential input.

[0107]FIG. 09 states the obvious that a computer 0920 is required inorder to implement the system and method to privatize computer data0110. The method makes no distinction or restriction as to type ofcomputer (mainframe, mini, personal, etc.). The first implementation wasbuilt for personal computers using a 32 bit operating system, namely,MICROSOFT WINDOWS® (a registered trademark of the MicrosoftCorporation). The system and method, however, imposes no inherentrestriction on the selection of the computer operating system. Whiletechnically possible to use the system and method without Internetaccess and to privatize computer files locally, it is desirable that acomputer 0920 using the system and method to privatize computer filesshould have Internet access 0921. Another useful feature on the computer0920 would be a software application (outside the purview of this patentapplication) that generates an eight byte computer identifier 0922 andappropriate signature files 0923 which authenticate the identity of theuser's computer. This identification feature has a role in sharingaccess to privacy protected archives 0261 that have been posted to theInternet. In the first commercial rendition of the method, a productcalled Secure Software Rental by Marpex Inc. has been used for thispurpose.

[0108]FIG. 09 introduces another prerequisite, a computer program 0930which implements the system and method. Three characteristics of thisprogram are important. These are set out in 0931 through 0933.

[0109] The efficiency 0931 of the computer program is crucial to a goodimplementation. The process of fragmenting original data files 1740 ishighly iterative. With fragments 1620 ranging from 1 to 16 bytes insize, the average fragment size is about 8.5 bytes. Hence a megabyte(1,048,576 bytes) of input from original data files 0220 is broken intoover 123,000 fragments 1620. Efficient processing of this iterativeprocess is required to ensure that response time is acceptable to theuser.

[0110] Precision 0932 of the computer program is essential.Reconstitution 0160 from a privacy protected archive 0261 is possibleonly if the steps in the fragmenting process 1740 are preciselyreversed. Tests with the prototype implementation showed that this ispossible even for exceptionally large quantities of content in theoriginal data files 0220. In one test, for example, 43 megabytescomprising 79 files were reconstituted with byte for byte equivalence tothe originals in 49 seconds on a laptop computer running at 360megahertz.

[0111] The scope 0933 of the computer program 0930 should include theseries of procedures 0120 through 0160 that make an implementationuseful. These support procedures are listed in FIG. 01 and detailed inFIGS. 22 through 30.

[0112]FIG. 10 is a diagram showing four aspects of composite files 0250,the primary output of the system and method 0110.

[0113] The content 1010 of composite files 0250 is fragments 1620, drawnfrom original data files 0220, disguised, and interspersed in random andunpredictable ways, and padded as necessary to create composite segments1652. Each composite segment 1652 is further camouflaged before it iswritten out or appended to a composite file 0250.

[0114] The size 1020 of composite files 0250 is always a multiple of1,024 bytes. Composite files 0250 are written out in segments of 65,536bytes, or some lesser multiple of 1,024 bytes when there are no furtheroriginal data files 0220. To be precise, all composite files 0250 are amultiple of 65,536 bytes in size, with the exception of the last“dispersion count” 0410 composite files; these last are smaller, butstill a multiple of 1,024 bytes in size. Padding with random bytes isadded as necessary to fill out the fragment heap 1651 into a compositesegment 1652 with the appropriate multiple of 1,024 bytes.

[0115] The count 1030 of composite files 0250 is always equal to or somemultiple of the dispersion count 0410 (2 to 16) in any one privacyprotected archive 0261. The upper bound is the highest multiple of thedispersion count 0410 where that multiple is less than 121. When about7.5 megabytes (120 times 65,536 bytes) have been written out, all up to120 possible composite files 0250 are in use, and further compositesegments 1652 are appended starting over again at the first compositefile 0250 and adding to the end of each successive composite file inorder, repeating as necessary until all incoming original data files0220 have been processed.

[0116] Names 1040 of composite files are as set out in names for outputfiles 0451. In other words, composite files 0250 all have meaninglessnames of one alphabetic character followed by a combination of sevenalphabetic characters and/or numeric digits, with the suffix “.PVT”added to the name. The first one, two, or three characters may beoverridden and made uniform if the user has selected a prefix 0450 foroutput file names.

[0117]FIG. 11 is a diagram showing aspects of the index file 0260, asupport output of the system and method 0110. This index file 0260 is adisguised listing of directory locations and names of original datafiles 0220, together with subsidiary information on each file. All ofthe index file 0260 except the subsidiary information is text. Theentire content is disguised prior to the index file 0260 becoming partof a privacy protected archive 0261.

[0118] Each directory tree entry 1110 (for example,“>c:\data\personal\MyFinances”) starts with a “greater than” symbol andfinishes with a terminating null.

[0119] After each directory location entry 1110 there may be one or aplurality of names 1120 of original data files 0220 drawn from thatdirectory.

[0120] After the terminating null of each file name 1120 appear fourbinary data elements which are supplementary file information 1130. Thefirst supplement 1130 is a one byte value (0 . . . 15) indicating theinput stream 1131 during fragmentation 1740. Next is a four bytedate-time stamp 1132 corresponding to the displayed time and data 0570for that file in FIG. 05. The third supplement 1130 is the size 1133 ofthe file in bytes 0560 in the form of a compressed integer 1240. Thefourth supplement 1130 is the offset 1134 of the first byte of thedirectory location 1110 applicable to this file earlier within thisindex file 0260. Offset 1134 is also recorded in the form of acompressed integer 1240. These subsidiary data elements enable laterrestoration of the directory location 0530, original data file name0540, and time stamp 0570 of the original data file 0220 and optionallyverifying the size 0560 when the original data file 0220 is reproducedby the procedure to reconstitute privatized data 0160.

[0121] The size 1140 of the index file 0260 is the smallest multiple of2,048 that will include all directory entries 1110 with their respectivefile entries 1120 and subordinate file data 1130.

[0122] The count 1150 is always exactly one index file 0260 for eachprivacy protected archive 0261.

[0123] Where multiple pass cascading fragmentation 0362 is used, theindex file 0260 is comprised of multiple segments, a successive segmentfor each cascade 0360. The applicable range 1160 for a cascade 0360 isnoted in that cascade's reconstitution file 0270. Only the segment forthe first cascade contains original file names and data. The secondthrough to the next to last segment of the index file 0260 each holdnames of temporary composite files 0250 which are destroyed once theyhave served the purpose of input for the following cascade.

[0124] The index file name 1170 follows the convention for names ofoutput files 0451; the name in this case masquerades as a composite file0250 with the same eight character content followed by a suffix “.PVT”.The index file 0260 is distinguished by two features. When dispersed, itis sent to the target location(s) for the first group of composite files0250. Secondly, the index file 0260 tends to be smaller than compositefiles 0250.

[0125]FIG. 12 introduces aspects of the reconstitution file 0270. Wherenormal security is desired, there is one reconstitution file 0270 tomatch the one cascade 0360 associated with single pass fragmentation0361. If multiple pass cascaded fragmentation 0362 is selected, there isone reconstitution file 0270 for each cascade.

[0126] The type and purpose 1210 of a reconstitution file 0270 can besubdivided among three possibilities. These are master 1211, backup1212, and distribution 1213. A master (“M”) 1211 reconstitution file0270 is created each time the user employs the system and method 0110 toprivatize computer data; two to seven such master 1211 reconstitutionfiles 0270 are created if multiple pass cascading fragmentation 0362 isinvolved. Backup (“B”) 1212 and distribution (“D”) 1213 reconstitutionfiles 0270 are created by the support procedure to share access 0120 toprivacy protected archives 0261. Master 1211 and backup 1212reconstitution files 0270 may be used to view hidden dispersionlocations 0440, to run the support procedure to share access 0120 andcreate additional reconstitution files 0270 for either backup ordistribution, and/or delete privacy protected archives 0261 that areposted to Internet locations 0440. A reconstitution file 0270 marked “D”for distribution 1213 may be used only to reconstitute privatized data0160, and to delete privacy protected archives 0261 on local hard disk.

[0127] Secure handling precautions 1220 are in order for reconstitutionfiles 0270. These files are designed to be quite small in comparison tothe components of the counterpart privacy protected archive 0261.Without access to the reconstitution file or files 0270, it is virtuallyimpossible for anyone to precisely reverse the process required torecoup the original data files 0220. By moving the reconstitution files0270 off line to other media, the user makes the related privacyprotected archive especially free from attack. At a minimum, it shouldbe moved to an anonymous alternative location. Of course, effectivesecurity must be supported by prudent backup procedures. If thereconstitution file were lost and if the original data files were notbacked up, the content is lost forever.

[0128] The reconstitution file name 1230 follows the earlier discussionunder 0320, 0451, and 0452.

[0129] Selected elements in reconstitution files 0270 are stored in theform of a compressed integer 1240. Compressed integers are non-negativeintegers expressed in one or more sequential bytes. Bytes are arrangedin descending order from high to low value. In the first byte, thelocation of the first bit which is turned on determines the number ofbytes. If the high order bit (the very first bit) is set, the compressedinteger is shown in the remaining seven bits of that one byte (range 0to 127). Bit pattern 01 at the beginning of the first byte means thevalue is in fourteen bits (remaining six bits of byte 1, the eight bitsof byte 2) with range 128 to 16,383. Bit pattern 001 in lead-in to thefirst byte means a three byte integer in twenty-one bits (5+8+8 bits)with range 16,384 to 2,097,151. Bit pattern 0001 in lead-in to the firstbyte means a four byte integer in twenty-eight bits (4+8+8+8 bits) withrange 2,097,152 to 268,435,455. There is no theoretical upper bound tocompressed integers. The preferred embodiment limits its use to valuesless than 268,435,456.

[0130] There are three limitations to the use of compressed integers: 1)they must be non-negative integers, 2) the programmer must know where ina byte stream a compressed integer starts, and 3) byte streamscontaining compressed integers can only be read in the forwarddirection. Trying to detect a compressed integer by reading backward ina stream is open to misinterpretation. A function to convert from aninteger to a compressed integer, and a counterpart function to convertfrom a compressed integer to a normal integer each amount to little morethan bit shifting. These functions therefore are very quick. Examples inthe microfiche appendix are named “fr_c_int.cpp” (from compressedinteger) and “to_c_int.cpp” (to compressed integer). Compressed integersare useful for avoiding patches of null bytes that show up frequently infixed length data. Disguised or encrypted compressed integers are lessvulnerable to pattern detection. In the reconstitution file 0270,compressed integers contribute significantly to reducing file size.

[0131] Each reconstitution file 0270 is comprised of a header 1250, abody 1260, and a reconstitution plan 1270. These are detailed in FIGS.13, 14, and 15 respectively.

[0132]FIG. 13 sets out in sequence the constituent elements of areconstitution header 1250 within a reconstitution file 0270. The headercontains many items, but their cumulative length in the preferredembodiment is under 128 bytes. There are nine elements or groupings inthe reconstitution header 1250.

[0133] The first grouping is a set of 15 random bytes 1310 for use inencryption. The reconstitution file 0270 is subjected to a standard formof encryption 2160 using for its key less than the maximum number ofbits (currently 40) allowed under the United States Bureau of ExportAdministration for what is termed “light” encryption. The actual key canbe hidden in, derived, and calculated from a set of 15 random bytes 1310at the beginning of the reconstitution header 1250.

[0134] The reconstitution file type 1320 is indicated by a one byteASCII flag containing one of three letters: M=Master 1211, B=Backup1212, D=Distribution 1213.

[0135] The computer identifier code 1330 within the reconstitutionheader 1250 holds eight binary bytes 0922 generated by the one and onlycomputer that is authorized to handle this specific reconstitution file0270. Other (even many) computers 0920 may access the same privacyprotected archive, but each computer must have its own speciallytailored copy of the reconstitution file 0270.

[0136] Thirty bytes (up to 29 characters and a terminal null character)are set aside for the password 1340 required to restrict access to thisfile to authorized users. In the preferred embodiment, alphabeticletters and digits are retained from the password 0330 specified by theuser; all punctuation and other characters are collapsed out. The samelogic is used behind the scenes both for initial capture of thepassword, and for situations where the password must be given. Hencethere is no impact on the user. Note that blank passwords are permitted,on the basis that “my computer is my password” where reconstitutionfiles are disguised in computer-specific ways.

[0137] The reconstitution header includes a record 1350 of thedispersion count 0410, a one byte binary value in the range 2 to 16.

[0138] Cascade data 1360 in the reconstitution header is comprised offour elements 1361 through 1364.

[0139] Level of security 1361 is recorded in a one byte binary integer.The value 1 denotes regular security. Value 2 signals heightenedsecurity, representing the security level 0350 selected by the user.

[0140] The count of cascades 1362 is stored as a one byte binary valuefrom 1 to 7. This matches the number of cascades 0360 selected by theuser.

[0141] The cascade number 1363 within the count of cascades 0360 and1362 is stored as a one byte binary value ranging from 1 to the maximumnumber of cascades. It is specifically this cascade number 1363 thatdistinguishes internally the several reconstitution files 0270 generatedin multiple pass cascading fragmentation 0362.

[0142] The offset range 1364 within the index file 0260 consists of twobinary integers, specifically the beginning offset and the terminatingoffset 1160 within the index file 0260 that apply to the currentcascade.

[0143] Up to eight random table identifiers 1370 are stored in the nextsixteen bytes. These take the form of eight 16 bit binary integers,recording the identifiers 0830 of the one to eight random tables 0230used in creating the current privacy protected archive 0261 andreconstitution file(s) 0270. If the count of random tables is less thaneight, the unused identifier spaces 1370 are filled with random bits.

[0144] A series of five file counts 1380 is stored as compressedintegers. Some of these counts are not finalized until the end of asession of privatizing computer files. The individual counts follow.

[0145] (1) Count of random tables 0230 is determined by the program0930. While initializing, the program 0930 searches the directory 0310containing random tables 0230. At least one random table 0230 must bepresent for the process to continue. If from two to eight are present,all are used. If more than eight are present, the program randomlyselects eight of them. The random table count 1380 (value 1 to 8)determines how many of the random table identifiers 1370 is valid; theremaining identifiers 1370 if any are disregarded as random numbers.

[0146] (2) Count 0730 of original data files 0220 made private in thecorresponding privacy protected archive 0261.

[0147] (3) Count of composite files 0250 ranges from 2 to 120 and is anexact multiple of the dispersion count 0410. For dispersion counts of 2,3, 4, 5, 6, 8, 10, 12, and 15 the maximum count is 120 since 120 is amultiple of each of these numbers. The other maxima are set to thenearest multiple under 120 . . . 119 for 7, 117 for 9, 110 for 11, 117for 13, 112 for 14, and 112 for 16.

[0148] (4) Count of the number of composite segments 1652 is equal to orgreater than the count of composite files 0250. A composite segment 1652is created, camouflaged, and written out whenever a fragment heap 1651becomes full or is terminated. It is full when it reaches 65,521 or morebytes, i.e., it no longer has capacity for a 16 byte fragment 1620. Itis terminated when there is no more input data from original data files.If full, the fragment heap 1651 is padded with random bytes as necessaryto 65,536 bytes; if terminated, it is padded to the nearest multiple of1,024 bytes. In general, if there is more than about 7.5 megabytes ofinput from original data files 0220 (120 times 65,536), the maximumnumber of composite files 0250 is in use, and later segments areappended round robin at the end of the composite files 0250 alreadycreated.

[0149] (5) Count of Internet redundancy stores the redundancy setting0430, value 0 to 3 copies, specified by the user.

[0150] A series of offsets 1390 pointing further on within thereconstitution file 0270 complete the header 1250. All but two of thesecompressed integer offsets are measured in bytes from the beginning ofthe reconstitution file 0270. Eight offsets follow:

[0151] (1) The first offset points to the beginning of location strings1410.

[0152] (2) The second is a relative offset, added to the first offset tofind the location string which indicates the directory 0310 containingrandom tables 0230.

[0153] (3) The third offset is also relative, added to the first offsetto find the location string, which indicates the working directory 0420.

[0154] All remaining offsets are counts of bytes from the beginning ofthe reconstitution file 0270.

[0155] (4) The fourth points to the name 1420 of the first (and perhapsonly) reconstitution file 0270.

[0156] (5) The fifth offset points to the name 1430 assigned to theindex file 0260.

[0157] (6) The sixth offset points to the name 1440 assigned to first ofthe composite files 0250.

[0158] (7) The seventh offset points to the beginning of an array offrom zero to 48 compressed integers, the active elements of variablePvtLocOffsets[16][3], where each element is a relative offset withinlocation strings 1410. These strings are the target Internet locations0440, if any, of composite files 0250. From 0 to 3 Internet locationsare used for each of “dispersion count 0410” (2 to 16) groupings ofcomposite files 0250. Technical caution: the seventh offset is absolute,the array to which it points contains relative offsets. In the case thatthe redundancy count 0430 is zero and Internet locations 0440 are notassigned, this seventh offset contains a value that may be disregarded.

[0159] (8) The eighth and last offset in group 1390 points to thebeginning of the reconstitution plan 1270.

[0160]FIG. 14 delineates in order the elements comprising thereconstitution body 1260 within the reconstitution file 0270. Theseelements are either variable length or unpredictable in number until allvariables (see FIG. 13) in the reconstitution header 1250 are known.

[0161] Location strings 1410 are null terminated ASCII strings. Theytake one of two forms. Those on hard drive or on local-area network(“LAN”) drives each contain a drive letter, a colon, and a directory orsubdirectories sequence (example: “c:\data\RandomTables”). Internetlocations typically start with “ftp.” or “www.” followed by a textstring, a type identifier, and possible directory and subdirectoryelements separated by slashes. The first location string 1410 isnormally that of the directory 0310 containing the random tables 0230.The second is normally that of the working directory 0420. Locationstrings 1410 are written one after the other, with only a terminatingnull to separate them. Location strings 1410 are referenced by theirrelative offsets within this concatenated list. For example, the firstlocation is zero, the second location counts forward the length of thefirst location plus one for its null.

[0162] Names 1420 of reconstitution files 0270 are as discussed under0451 names of output files, 0320 name of first reconstitution file, and0450 prefix for output file names. The next two entries 1421 and 1422provide detail.

[0163] The name of the first reconstitution file 1421 appears in longform. The user was given the option to impose a name 0320 for the firstreconstitution file 0270. Long form names in many operating systems maybe up to 256 bytes in length. If no name was imposed, a scrambled nameis used. The name, whatever its derivation, is stored at this point inthe reconstitution body 1260.

[0164] Names of additional reconstitution files 1422, if any, are storedin the short form. If multiple pass cascading fragmentation 0362 isused, there are up to six additional reconstitution files 0270 created,one for each cascade after the first. The names are as discussed undernames of output files 0451 (see also 0450, 0452, and 1230). Whenstripped of its .REC suffix, each name is comprised of exactly 8 bytesof letters and digits; the last five or more are randomly selected.These additional names (if any) are recorded immediately after the nameof the first reconstitution file 1421, each with a terminating nullbyte.

[0165] The name 1430 (see also 1170) of the one index file 0260 isdisguised under what appears to be the name of a composite file 0250.The eight first bytes of that name with a terminating null byte arerecorded at this point in the reconstitution body.

[0166] The names 1440 of the 2 to 120 composite files are stripped oftheir .PVT suffix. The eight byte names as discussed above (0451 and0450) are listed one after another at this point in the reconstitutionbody 1260. Each eight byte name is followed by a terminal null.

[0167] Offsets of Internet locations 1450 take the form of from zero to48 compressed integer relative offsets within location strings 1410. Theactual number is determined by calculating the redundancy setting 0430(range 0 to 3) times the dispersion count 0410 (range 2 to 16). EachInternet location string appears as a null terminated ASCII sequencewithin strings 1410; among offsets 1450 each is referenced by itsrelative offset within the set of location strings 1410 within thereconstitution body 1260.

[0168]FIG. 15 sets out the elements that are the building blocks of thereconstitution plan 1270. The reconstitution plan 1270 is a compressedlist of the steps required to reconstitute original data files 0220 fromthe dispersed composite files 0250 and the index file 0260. The processof reconstituting data 0160 is a precise and exact step-by-step reversalof the actions taken during the fragmentation run 1740. For example,some action codes are associated with the opening or closing of files.Where a code represents opening a file for processing in fragmentation1740, that code represents closing the same file and finishingprocessing of that file in reconstitution 0160. The same reversingeffect applies to all actions. One consequence is that files must befully identified both when they are opened and when they are closed.

[0169] The reconstitution plan 1270 comprises one byte action codesfollowed immediately by a trailer appropriate to that action code. Inthe plan 1270, action codes and trailers are interspersed as onecontinuous byte stream. There are 12 action codes; their numbering ishistorical accident deriving from creation of the first prototype. Theone essential feature is that the numbers must be under 256 so that eachcode may be expressed in one byte. The discussion at this point viewsthe reconstitution plan as a completed entity; FIGS. 18, 19, and 20 dealwith how this entity is created.

[0170] Each record 1501 within the reconstitution plan denotes an actioncode 01. The most basic process in the system and method to privatizecomputer data 0110 is to identify a fragment 1620 from within a originaldata file 0220, apply disguising techniques to the fragment, and assignit a location in one of a plurality of fragment heaps 1651. This processis directed by a fragment handling guide 1640, which is drawn from arandom table 0230. A lengthy series of such actions 1501 can be recordedvery compactly in only five bytes—the 01 code in one binary byte, thetwo byte address of a starting location for the first in a series offragment handling guides 1640, and the two byte address of the lastlocation in that series. In the process of reconstituting privatizeddata 3040 this five byte sequence provides all that is needed to applyin reverse order a series of fragment handling guides 1640 in order toremove disguises from fragments 1620 drawn now in reverse round-robinorder from composite files 0250 and to reconstitute the original datafiles 0220 in their vulnerable form.

[0171] Each record 1502 denotes an action code 02. This is a singleinstance of applying one only fragment handling guide 1640 to oneparticular fragment 1620. Action code 02 is used in the special casewhere the fragment 1620 constitutes the remaining byte(s) at thebeginning of an original data file 0220, and that fragment is shorterthan is indicated by the selected fragment handling guide 1640. Thetrailer for an action code 02 consists of the two byte address of thespecific fragment handling guide 1640 and one byte indicating the actuallength of the residual fragment 1620. Entity 1502 (action code 02) isrelatively infrequent—not more than the number 0730 of original datafiles 0220 that comprise input for one privacy protected archive 0261.

[0172] Each record 1511 denotes an action code 11. This one byte codeplus a compressed integer trailer indicates the closing of a originaldata file 0220 which is output during reconstitution 0160. (Duringfragmentation 1740, the same 1511 action indicates opening the nextavailable original data file 0220 as input.) The trailer is the offsetwithin the index file 0260 where information is stored regarding thatoriginal data file's name 0540, directory location 0530, size 0560, dateand time 0570. Where there is only one cascade (single passfragmentation 0361), the trailer is an absolute offset within the indexfile 0260. Where there has been multiple pass cascading fragmentation0362, the trailer for an action code 11 is relative within the offsetrange 1364 indicated within the reconstitution file 0270.

[0173] Each record 1512 denotes an action code 12. This one byte codeplus a compressed integer trailer is the counterpart of an action code11 (entity 1511). Action code 12 signals opening the next availableoriginal data file 0220 during reconstitution and closing it duringfragmentation. The trailer is an offset in the index file 0260, the sameas in action code 11.

[0174] Each record 1513 denotes an action code 13. There are up to 16file pointer streams available for input during fragmentation 1740, oroutput during reconstitution 3040, of data elements read from or writtento original data files 0220. Each such file is opened once and closedonce; during the time that it is open, the original data file 0220 isassociated with one and only one stream. The streams are numbered 0through 15. Thus, while it is open, an original data file 0220 is fullyidentified by a four bit (half a byte) stream number. This very compactidentifier is used within fragment handling guides 1640; since these aredrawn from random tables, the effect is unpredictability with respect towhere fragments are drawn from or written to. Streams are opened onlyonce, and closed only once during either privatizing 1740 orreconstitution 3040. Zero, one, or a plurality of original data files0220 may be handled through one stream, but only one file at a time.When there are over 16 original data files 0220, then all streams willbe open for at least part of the processing. When a file associated withthat stream is closed, the next file to be opened will be associatedwith that same stream. It is of fundamental importance to know whichstreams are open and which are closed. Action code 13 plus one binarybyte containing the stream number 0 to 15 signals opening a stream forthe first time during reconstitution and permanently closing the streamduring fragmentation once the point is reached that there are no furtheroriginal data files 0220 to process. Action code 13 is used once foreach stream number. When a stream is closed, the stream number in anyfragment handling guide 1640 defaults automatically to the next higherstream number that is still open (cycling through . . . , 14, 15, 0, 1,2, . . . and up as needed).

[0175] Each record 1521 denotes an action code 21. This one byte codehas a trailer of four integers. During reconstitution 3040, action code21 prompts a sequence of identifying a composite file 0250, opening thatfile, identifying and positioning to a composite segment 1652 withinthat file, reading that segment into a fragment heap 1651, closing thecomposite file 0250, and positioning a pointer to the first byte pastthe end of the real data in the segment (to any random padding thatfilled the segment out to 65,536 bytes or to some lower multiple of1,024 bytes). The four integers in the trailer are: (a) a two byte size1654 of the composite segment 1652 in bytes prior to randompadding—typically a value just less than 65,536, with the value zerointerpreted as exactly 65,536; (b) a one byte value 0 . . . 119 whichspecifies a particular one of the up to 120 composite files 0250; (c) aone byte value 0 . . . 15 which specifies one of the fragment heaps1651; and (d) a compressed integer containing the offset in multiples of1,024 at which the composite segment 1652 begins within the compositefile 0250. Example: Suppose an action code 21 appears in thereconstitution plan followed by the four values 65531, 97, 2, and 192.That means that the segment is 65,531 bytes long, the composite file0250 name and related data are found at subscript 97. The segment ofinterest will be placed in fragment heap subscript 2 duringreconstitution, and will be read from the target file starting at 192 k(byte # 196608).

[0176] Each record 1522 denotes a dummy action code 22. This is usedduring a fragmentation run 1740 to carry temporarily some of the trailerdata for action code 21. Action code 22 does not appear in thereconstitution plan 1270 and is not used in the reconstitution process3040.

[0177] Each record 1531 denotes an action code 31. This one byte codewith a one byte trailer signals a cessation of use, at least for thetime being, of a random table 0230 during the reconstitution process0160. The trailer holds the subscript 0 . . . 7 of the random table.This subscript in turn points to the 65,551 byte buffer 1630 set asidefor the random table and to one of the eight random table identifiers1370 in the reconstitution header 1250. In every instance but the last,an action code 31 and its trailer are followed by an action code 32.

[0178] Each record 1532 denotes an action code 32. This one byte codeplus its one byte trailer are the counterpart to action code 31. Actioncode 32 refers to the commencement of use of a random table 0230 duringthe reconstitution process 0160. The trailer is exactly as for actioncode 31.

[0179] Each record 1541 denotes an action code 41. Content of thecamouflage buffer 1680 is swapped at random intervals during processingin both directions. Action code 41 signals closing out the use of oneset of contents during reconstitution. The one byte trailer contains anentry number 0 . . . 119, which specifies a particular one of the up to120 composite files 0250.

[0180] Each record 1542 denotes an action code 42, the counterpart ofaction code 41, with the same one byte trailer. Action code 42 signalsloading the camouflage buffer with the first 65,536 byte sector of theindicated composite file 0250.

[0181] Each record 1591 denotes an action code 91. This last action codetakes a four byte trailer, identical in makeup to the action code 01trailer, that is, a beginning 16 bit offset and a terminating 16 bitoffset within the currently active random table 0230. Action code 91indicates a series of exclusive OR operations being applied from thecamouflage buffer 1680 to a composite segment 1652 in both directions ofprocessing. During fragmentation 1740, a random number of exclusive ORoperations are applied from the camouflage buffer 1680 to the compositesegment 1652 just before it is written out to a composite file 0250.During reconstitution 3040, the same exclusive ORs are applied (in thereverse order) to a composite segment 1652 just after it has been readinto the buffer for the fragment heap 1651 from the composite file 0250.Each exclusive OR operation is guided by 6 bytes in the active randomtable 0230. Action code 91 appears in the reconstitution plan as thevery first entry after a composite segment 1652 has been read in. Thetrailer indicates a range of bytes in the currently active random table0230—from 2 byte address to 2 byte address. Each two byte address in therange points to a six byte portion, again within the currently activerandom table 0230. This six byte portion is treated as three two byteintegers: (a) starting byte in the camouflage buffer, (b) starting bytein the fragment segment buffer, and (c) length of the exclusive ORoperation. Exclusive ORs are truncated if they pass the end of eitherthe camouflage buffer 1680 or the composite segment 1652 held in thebuffer for the fragment heap 1651.

[0182] The purpose of action code 91 is to destroy, all if any, vestigeof pattern in composite files 0250. The content of the camouflage buffer1680 is randomly changed. All exclusive OR operations are random andunpredictable. The result is that the person wishing to recover data isutterly dependent on access to the reconstitution plan 1270 within thereconstitution file 0270. There is a staggeringly high number ofpossible exclusive OR options across a privacy-protected archive 0261.For a reverse engineer, there is no objective evidence to show whetherany particular attempt has been an improvement or deterioration inprogress toward the solution. Without the reconstitution file 0270 toprovide the reconstitution plan 1270, a reverse engineer or even aperson equipped with full source code is unable to retrieve the originaldata files 0220 in their vulnerable form.

[0183] Note that action code 91 is applied during the last cascade onlyif the user has selected multiple pass cascading fragmentation. Verylittle is achieved by obscuring patterns in the temporary files sincethe interim outputs are deleted and only the last set of composite files0250 is kept.

[0184] All discussion to this point has been of inputs and outputspertaining to the system and method to privatize data 0110. FIG. 16introduces intermediate objects 0280 which support the processingrequired to convert inputs to outputs. There are ten such objects orgroupings of objects. Variable names are shown for some of the elementsin the support groups; these names are drawn from the microficheappendix accompanying this patent application; see in particular theheader file “PryvitDL.h”.

[0185] (1) Intermediate object group 1610 comprises support for 16concurrently active original data files 0220. The user's original datafiles 0220 are unpredictable in size and number. There is no assurancethat it is safe to read an entire file into random access memory. Henceeach such file is brought one segment at a time into a specific one of16 original data buffers. The primary members of intermediate objectgroup 1610 are 16 original data buffers 1612, and a current inputidentifier 1613. The latter is a value from 0 to 15 which designateswhich of the up to 16 members of the group is being currentlyreferenced.

[0186] Most operating systems allow more than 16 file streams to be openat one time, but not necessarily 32 or more. The limit of 16 open filestreams is selected both because it is supported by all relevantoperating systems, and further because it allows a file that is open tobe completely identified by a four bit value 0 through 15. The result isthat references to one of the user's original data files 0220 can becompressed to four bits within the reconstitution plan 1270.

[0187] The original data buffers 1612 take the form of an array of onebyte integers named “OrigBuff[16][2048]. (The value 2048 is arbitrary;any value may be selected that is appropriate for memory managementunder the implementation's selected operating system and computerlanguage.) The current input identifier 1613, that is, the currentlyreferenced member in the support group 1610, is identified by an integer“CurrOrigNo” (value 0 to 15) drawn from a fragment guide 1640. Otherrelevant variables in intermediate object group 1610 are: (a) integer“sizeOrigFile[16]”=the size of each original data file 0220 currentlyopen, (b) integer “TimeStamp[16]”=the date and time of each suchoriginal data file, (c) integer “OrigDirLocn[16]”=the offset within thelocation strings 1410 of each such file's directory location, (d) filestream pointers “fpOrig[16]”=operating system access to up to 16currently open original data files 0220, (e) integer“ptOrigBuff[16]”=pointers within each buffer, and (f) single byteinteger “OrigStreamActive[16]”=a flag to indicate for each streamwhether it is currently active/open, with 0 indicating inactive and 1indicating normal operations.

[0188] (2) A fragment 1620 is an essential subset of an original datafile 0220. In processing to privatize data 0290, original data files0220 are exploded into fragments 1620 with each fragment ranging from 1to 16 bytes in length. The small and unpredictable size of fragments1620 and the further unpredictable ways in which fragments 1620 frommultiple original data files 0220 are disguised and placed together incomposite files 0250 enhances the method's intended indecipherablepattern-free privacy.

[0189] (3) The random table buffer 1630 supports eight random tables0230 in memory. Logic in later processing is simplified if each of eightsections within the buffer is 65,551 bytes rather than only 65,536 bytesin length. The program 0930 has identified the directory 0310 containingrandom tables 0230. It searches that directory for names of the formPVT#####.TBL; there must be a minimum of one for the program tocontinue. If over eight random tables are present, the program randomlyselects any eight. If eight or fewer are present, all are selected. Eachof the selected random tables is read into one of eight sections in thebuffer (single byte integer “RTable[8][65551]”); then the first 15 bytesare copied over into the extra space at the end of the section. Thismeans that the longest fragment 1620 (16 bytes) can be matched by anytwo byte address zero to 65,535 within the random table 0230. A pointerwithin the active table is declared (integer “ptRTable”) for a varietyof uses. A further need is to know which random table 0230 is currentlyactive; this subscript is stored in an integer “ActiveRTable”.

[0190] (4) A fragment handling guide 1640 comprises six successive bytesfrom the random table 0230. In step 1840 the fragment handling guidewill be broken into components. The first component is current inputidentifier 1613 which designates which of the up to 16 input streamswill act as the source of the fragment. This value 0 to 15 is taken fromthe high order four bits of the first byte of the fragment guide 1640.The length 1642 of the fragment (integer “FragmentLength”) is calculatedby adding one to the value in the last four bits of the same byte; thelength ranges between 1 and 16. In the special case 1502 where thelength remaining in the original data file 0220 is shorter than thatcalculated from the guide 1640, the length 1642 is set to the actualremaining length. The second and third bytes of the guide 1640 aretreated as a pointer 1643 (integer “BgnFragXOR”) within the currentlyactive random table 0230 to a stream of random bits equal in length tothe fragment 1620. These random bits will be overlaid on the fragment inan exclusive OR operation as a method of primary disguise of thefragment. The fourth through sixth bytes of the guide 1640 are eachsplit into two 4 bit integers, “DisguiseMethod[3]” and“DisguiseParam[3]”, the high and low four bits of each byterespectively. These fragment disguise controls 1644 guide up to threeadditional mathematical techniques that may be applied to a fragment1620 to disguise its content.

[0191] (5) Intermediate object group 1650 is support for 16 fragmentheaps 1651 (single byte integer “FragHeap[16][65536]”). Each 65,536 byteheap is a repository (or storage structure, such as, but not limited toa buffer) for fragments 1620 that have been drawn from the original datafiles 0220 and disguised per the parameters in a fragment guide 1640.Only “dispersion count 0410”, that is, 2 or more of the fragment heaps1651 will be in use; any extras in the range “dispersion count plus one”up to 16 are idle. Pointers (integer “ptFragHeap[16]”) indicateaccumulated bytes in each heap. When a fragment heap is so full that itcannot contain the next fragment, or when there are no original databuffers 1612 remaining active within intermediate object group 1610, thesize 1654 of the fragment heap 1651 is noted, and then the fragment heap1651 is padded as necessary with random bytes out to the next multipleof 1,024 bytes. At this point (being full or terminated, and thenpadded), the content of the fragment heap 1651 becomes a compositesegment 1652. This composite segment 1652 is subjected to a camouflageprocess (1680 and 2085), then written or appended to a composite file0250.

[0192] (6) Group 1660 is support for 120 composite files 0250, many ofwhich may be inactive throughout one session of privatizing originaldata files 0220. (a) An integer value, “MaxCtPvtFiles”, is calculatedbased on the dispersion count 0410 to set the actual maximum number ofcomposite files 0250. Per the discussion under the third of the fivefile counts 1380, for dispersion counts of 2, 3, 4, 5, 6, 8, 10, 12, and15 the maximum count is 120 since 120 is a multiple of each of thesenumbers. The other maxima are set to the nearest multiple under 120 . .. 119 for 7, 117 for 9, 110 for 11, 117 for 13, 112 for 14, and 112 for16. This count is included as the third among the five file counts 1380included in the reconstitution header 1250. (b) Another integer,“ctPvtFiles”, tracks the count of composite files actually created, upto the above maximum value. (c) An integer “ctPvtSegments” counts thesegments written so far; this is the same as the count of files untilthe maximum count is reached. (d) The names of 120 composite files 0250(as well as the index file and seven reconstitution files) are created,per the discussion under the heading names of output files 0451. The 128names are checked for uniqueness in characters 4 through 8, and morenames are created as necessary to ensure this uniqueness. If the userhas specified a common prefix 0450 to the output file names, this isapplied to all the names. Note that composite files 0250 are only openedmomentarily, and only one at a time, in order to write or to append acomposite segment 1652. There are therefore no ongoing file pointers oropen streams for output composite files 0250 (in contrast to thehandling of input).

[0193] (7) Group 1670 is support for one index file 0260 as described inFIG. 11.

[0194] (8) The camouflage buffer 1680 supports camouflage of compositesegments 1652. The camouflage buffer is exactly 65,536 bytes in size,matching the size of a random table 0230 and a full fragment heap 1651.The camouflage buffer 1680 can be declared as single byte integer“Camouflage[65536]”, together with a pointer (integer “ptCamouflage”)within the buffer, and another integer (integer “idCamouflage”) tospecify current contents of the buffer. When initialized, the buffer isloaded with a copy of the first 65536 bytes of the first section of therandom table buffer 1630, and the identifier is set to some “magicnumber” outside the normal range to identify the temporary specialcontent. It is sufficient at this point to initialize the camouflagevariables; usage of the camouflage buffer will be discussed in 2020 and2085.

[0195] (9) Group 1690 relates to a temporary file to accumulatefragmentation steps. This fragmenting record is unpredictable withrespect to number of steps and cumulative size. Since the information isnot used until it is time to build the reconstitution plan (steps 2130and 2140), another entity is initialized at this point. A temporary file1690 is established to record fragmentation actions/steps. The fileconsists of one byte action codes alternating with four byte fixedlength trailers. A count of fragmentation action records is helpfuldata. Records 1501 merit special handling, since one action code and onetrailer summarize many sequential action code 01 steps. Thereforeprovision is made to count unbroken sequences of action code 01 stepsand to record the offset of the first fragment guide 1640 within thecurrently active random table 0230.

[0196] (10) Group 1695 relates to support for locations strings. Thereis one directory 0310 on hard disk for all the random tables 0230, onelocation on hard disk for the working directory 0420, and up to 16 times3 (or 48) Internet locations 0440 (see also 1450). Data must be put inits final form in order to have access to the offset of each locationwithin the buffer. Assuming the worst case of 256 bytes for each of the1+1+48 locations means that it is sufficient to set aside a buffer of12,800 bytes. Support includes the necessary pointers to these up to 50strings.

[0197]FIGS. 17 through 21 deal with processing steps acting upon orcreating the input, output, and intermediate entities above.

[0198]FIG. 17 provides a first level of detail of the steps involved inprocessing 0290 to privatize data. Before getting into detail, considerthe key aspects of FIG. 17. After initialization, fragments 1620 of upto 16 original data files 0220 at a time are drawn in apparently randomorder progressively forward from the end of each input file, disguised,and added round robin at the end of fragment heaps 1651. Completedfragment heaps 1651 are padded into composite segments 1652, thencamouflaged and written out to composite files 0250. The balance of themethod comprises the steps of creating a reconstitution file 0270,finalizing and dispersing the various outputs, and reporting results tothe user.

[0199] Now for greater detail regarding FIG. 17. The user is presumed tohave clicked on the first tool bar icon in FIG. 01, the system andmethod to privatize computer files 0110.

[0200] In step 1710, the user inputs the control selections. Behind thescenes, the program devises the preferred default values and displaysthem within the “options” (FIG. 03), “locations” (FIG. 04), “selectfiles” (FIG. 05), and “select drive” (FIG. 06) dialogs. The user'schoices within these dialogs are presented in detail earlier in thisdocument (FIGS. 03 through 06).

[0201] Step 1720 is to initialize the intermediate objects 0280 asdetailed in FIG. 16. This initialization in part precedes, in part issimultaneous with, and in part follows up on step 1710. Most of thedetail can be inferred from FIG. 16. Certain portions warrant furthercomment. For example, with the current file selection list 0520 in hand,it is possible to open up to sixteen original data files 0220 (seeintermediate object group 1610). Here refer to function“OpenOneOrig.cpp” in the microfiche appendix, whose precise logic foropening each input original data file 0220 is summarized. The first timedata is read from an original data file 0220 into one of the 16 originaldata buffers 1612 within intermediate object group 1610, the systempositions to 2,048 bytes before the end of the original data file 0220and reads the last 2,048 bytes into the appropriate one of the 16original data buffers 1612 in sequential order. In the actual processing(FIGS. 18 and 19), under direction from the random table 0230 and thefragment handling guide 1640, fragments are drawn successively from theend and progressively forward from the original data buffer 1612, andare added at the end of the next fragment heap 1651 in sequence. Keypoint: Original data files 0220 are fragmented from the end, movingprogressively forward. The cost in complexity is minor compared to theefficiency and simplicity that are achieved in writing out reconstitutedoriginal data files 0220 when they are later retrieved 0160 from theirprivatized state.

[0202] Each time a portion of an original data file 0220 is loaded forthe first time, a file pointer to an input stream is opened. If thereare less than 16 original data files 0220 in total within the selectionlist of data files 0520, then a flag should be set to indicate there areless than sixteen input files (see intermediate object group 1610).

[0203] Initialization 1720 must provide for cascading 0362 if this hasbeen selected. This is accomplished in part by putting step 1740 withina loop with “count of cascades 0360” (1 to 7) iterations.

[0204] The central task within FIG. 17 is to fragment (1740) originaldata files 0220. Detail of this processing is found in FIGS. 18, 19, and20.

[0205] Step 1750 is reached from step 1820 when all input data has beenprocessed. Step 1750 consists of finalizing and dispersing compositefiles 0250. Each fragment heap 1651 is randomly padded 2010 to thenearest 1,024 byte multiple, transforming it into a composite segment1652. The remaining steps in FIG. 20 are repeated for each of thefragment heaps 1651. If the user has elected to disperse composite files0250 to Internet locations 0440, all files are copied, normally by filetransfer protocol (FTP), to their respective Internet destinations.

[0206] Step 1760 is to finalize the index file 0260. It has been writtento disk progressively during fragmentation. If a suitable disguisingtechnique has not been applied during processing, the content may beretrieved, its contents disguised, and written out with the assignedname 1170. If outputs are being dispersed to the Internet, the indexfile 0260 should be sent to the first of the “dispersion count 0410”sites (with copies to mirror sites if redundancy count 0430 is greaterthan one).

[0207] Step 1770, building a reconstitution file, is described in FIG.21.

[0208] Step 1780 consists of housekeeping matters such as closing filesthat are open, and deleting original data files 0220 if the userselected the option 0340 for automatic deletion. Deletion may be moresecure if the content of the file is overwritten with random data andsaved prior to its deletion. Step 1780 normally includes reporting tothe user successful completion. The version in the microfiche appendixalso reports timing. When an exceptional situation occurs, the interfacemust list specific error situations encountered in the process ofprivatizing computer data.

[0209]FIG. 18 sets out detail underlying step 1740, fragmenting originaldata files 0220. This processing is set up within a loop that may betraversed hundreds of thousands of times for one set of original datafiles 0220. There is considerable detail within each step shown in FIG.18. A good implementation depends on checking very quickly whether eachparticular step applies on a particular iteration. For example, steps1810 (check input status), 1830 (process random table matters), and 1860(ensure space for fragment) normally amount to nothing more than a veryhigh speed check of a condition before proceeding to the next step. Thecore steps of fetching a fragment guide and interpreting it 1840,applying the guide to disguise and append a fragment to a fragment heap1880, and recording an action 1890 are each very quick. The net resultis that the user perceives a rapid completion of the task of privatizingan entire set of original data files 0220. The version in the microficheappendix demonstrates the speeds that can be attained in a goodimplementation.

[0210]FIG. 18 consists of the following repetitive steps.

[0211] Step 1810 is to reset and check input data status. There is noneed each time to check every one of the up to 16 inputs, but only theone input from which a fragment was drawn in the preceding iteration. If16 or more bytes remain (enough for the largest possible fragment), thennothing more remains to be done in step 1810. In the exceptionalsituation in which the number of bytes remaining in the most recentlyactive original data buffer 1612 has dropped below 16, only then is itnecessary to proceed through the detail of step 1810 found in FIG. 19.

[0212] Step 1820 is to determine whether every input stream has reachedthe point of having no further input data. This amounts to checking aflag that is set within the detail in FIG. 19. If more input dataexists, processing passes to step 1830. Once and once only, when thepoint is reached in which all data has been used up, processing passesinstead to step 1750, finalizing and dispersing the composite files0250.

[0213] Step 1830 serves the purpose of reducing predictability andsuppressing the emergence of patterns that might otherwise inform areverse engineer who is trying to interpret files within a privacyprotected archive 0261. Processing random table matters 1830 may besubdivided into periodic swap of the active random table 1831 andperiodic swap of the start position step 1832 within the active randomtable 0230.

[0214] In step 1831, it must first be determined whether it is time toswap the selection of which section of the random table buffer 1630 iscurrently active. If only one section of the random table buffer 1630 isin use, the answer remains “no” throughout. If two or more random tables0230 have been found and loaded during initialization (1720 and 1630),then swaps are possible. If there are three or more, the choice of whichto designate the active section is made randomly. In function“HandleRTable.cpp” in the appendix, the swaps are set to occur on theaverage once in every 256 fragments 1620 that are processed. This mustbe at random rather than calculated intervals, since a central objectiveof the present invention is unpredictability. Therefore, a random numberis selected each time this point is passed. If the random number is amultiple of 256, the choice of section within the random table buffer1630 is swapped (one chance in 256). If there is a swap, it is recordedwith an action code 32 (close during fragmenting 1532) followed by anaction code 31 (open during fragmenting 1531). The swap amounts only toa change of subscript (integer “ActiveRTable”) from one value to anotherwithin the range zero to seven.

[0215] In step 1832, it is determined whether it is time to changeposition within the current section of the random table buffer 1630. Theanswer is yes under any of following conditions: (a) the pointer iswithin six bytes of the end of the underlying random table 0230, (b) arandom table swap has just taken place, or (c) a random number is amultiple of 512 (one chance in 512). Note that repositioning within arandom table buffer 1630 breaks a series of action code 01 processes.The next action code 01 (record 1501) must start with a new beginningposition.

[0216] Step 1840 involves obtaining and interpreting a fragment guide1640. An example of the logic appears in the function“GetInterpretFragGuide.cpp” in the appendix. The guide is copied fromthe currently active random table buffer 1630, starting eitherimmediately after where the preceding six byte guide was taken, or (ifstep 1832 led to a change) at the designated new starting point. Oncecopied, the guide is broken into its components . . . the source filestream number 1641, the fragment length 1642, the pointer for thebeginning of the exclusive OR operation 1643, and the three fragmentdisguise controls 1644. The first half of the first byte yields the newcurrent input identifier (1641 and 1613) which indicates which of thesixteen original data files 0220 is to act as source of the fragment1620. If this stream has been marked inactive (because it is out ofdata), the number of the next higher active stream is used (cycle tozero after fifteen). Next, adding one to the second half of the firstbyte yields sixteen possible fragment lengths 1642 ranging from one tosixteen bytes. Bytes two and three of the fragment guide 1640 are usedas a seemingly random offset within the currently active section of therandom table buffer 1630 to be used as the starting point for abyte-for-byte exclusive OR operation applied to the fragment 1620 with astring of the same length within the same section of the random tablebuffer 1630. Recall that in anticipating an overflow, the first fifteenbytes are repeated at the end of the section of the random table buffer1630. Bytes four, five, and six each control a further method ofdisguising the current fragment 1620 with the first four bitsdesignating the method, and the last four bits a parameter for thatdisguise. For example, bit shifting might be one of the sixteen methods,and the last three bits of the lower four bits can designate thestarting point for the bit shifting. In the version in the appendix, bitshifting is implemented for the first control 1644; the second and thirdcontrols are left unused.

[0217] Step 1850 involves simply copying the last fragment-length 1642bytes from the original data buffer 1612 designated by the current inputidentifier 1613. There are sufficient bytes in that original data buffer1612 except in the case where in step 1810 it is found that the originaldata file 0220 in its entirety has been read, and that all but one or afew bytes of the last original data buffer 1612 read from that originaldata file 0220 is as yet unprocessed. If there are insufficient bytesleft, this is noted, so that an action code 02 (1502) will be recordedrather than an action code 01 (1501).

[0218] The fragment is now on hand, not yet disguised. The next step,1860, ensures that there is enough space to receive this fragment in thenext eligible fragment heap 1651. In most cases, there is enough space.In the exceptional case, space must be provided. There are two tosixteen open fragment heaps 1651. Eligibility is determined on a roundrobin basis. More specifically, the first fragment 1620 is sent tofragment heap 1651 subscript zero, the second fragment to fragment heap1651 subscript one, etc. . . . the next fragment to the nth fragmentheap 1651 (dispersion count 0410 less one), and the following fragment1620 to fragment heap 1651 subscript zero. If the fragment heap 1651does not have enough space, the target fragment heap 1651 is finalizedin step 1870.

[0219] Step 1870, finalizing a fragment heap, is expanded in FIG. 20below.

[0220] Step 1880 involves disguising and appending the current fragment1620 to the next fragment heap 1651 in round robin order. At least twodisguises should be applied to each fragment 1620. Each disguise shouldbe computationally quick, and should use random data drawn from thefragment guide 1640 as parameters. These techniques, combined with thefact that fragment 1620 borders are undefined, make the emergence ofpatterns virtually impossible. In example function“DisguiseFragment.cpp” in the microfiche appendix, the first disguise isan exclusive OR onto the fragment 1620 with length 1642 starting at thepoint in the currently active section of the random table buffer 1630designated by pointer 1643. From zero to three additional disguises maybe applied using the disguise controls 1644. In the example function“BitScramble.cpp”, the second disguise is a lateral shift of bits acrossthe bytes of the fragment 1620. Note that these “short key” techniquesare computationally much more efficient that conventional encryption.They also remain well within any known legal limit on key length.

[0221] In step 1890, the action taken on the fragment 1620 is recorded.In most cases, the record is simply an action code 01 (1501); in thiscase, nothing is written for the time being to the temporary file 1690to accumulate actions. If this is the first action code 01 in a row(some other action code has intervened since the last action code 01),then the beginning and ending addresses for the trailer are set thesame. If it is a subsequent action, the ending address is changed in thetrailer. However, if the fragment 1620 was smaller than the sizedesignated by the fragment handling guide 1640, this latest iterationthrough loop 1810 to 1890 is recorded as an action code 02. (If anaction code 02—or any code other than 01—is written, then anyaccumulation of action 01 records 1501 must be written first.) Tocomplete step 1890, the current heap pointer is reset to zero, and thefragment heap 1651 assignment is set to the next sequential highernumber (or back to the first heap if the dispersion level 0410 has beenreached).

[0222] At this point, processing returns to step 1810. Steps 1810through 1890 comprise a loop, which is reiterated until no original datafiles 0220 remain.

[0223]FIG. 19 is an expansion of step 1810 which focuses on managementof an original data file 0220 while fragmenting. FIG. 19 comprises steps1910 through 1990.

[0224] Step 1910 determines whether sixteen or more bytes exist in the“latest use” original data buffer 1612. Latest use is determined by theidentifier 1641 in the latest fragment guide 1640. If there are sixteenor more bytes in that original data buffer 1612, then input status 1810is okay for this iteration through the loop comprising FIG. 18; controlis passed to step 1820 in FIG. 18.

[0225] If in step 1910 it is determined that there are fewer thansixteen bytes in the original data buffer 1612, every possible fragment1620 size cannot be accommodated therein. The first option in this caseis to replenish the original data buffer 1612. Step 1920, replenishingthe original data buffer 1612, can be carried out only if bytes remainin the original data file 0220 that have not yet been read into theoriginal data buffer 1612. If that file is already depleted, skip tostep 1930.

[0226] If unread bytes remain, step 1920 starts by positioning backwardin the original data file 0220 roughly 2,048 bytes earlier than thepoint at which data was brought in from this file on the previousreading. To be precise, the position is 2,048 bytes back, then thenumber of unprocessed bytes still in the original data buffer 1612forward. For example, if there are still 13 unprocessed bytes in theoriginal data buffer 1612, the correct positioning point is 2,035 (2,048minus 13) bytes prior to the point in the original data file 0220 fromwhich content was read the last time from this file. Then 2,048 bytesare read. The 13 residual bytes in the example now appear as the last 13of the new group of bytes in the original data buffer 1612. On the lastreading from the beginning of the original data file 0220, there istypically not 2,048 bytes not yet processed. Positioning in this specialcase is to the beginning of the original data file 0220. The number ofbytes is adjusted to ensure that exactly enough bytes were taken in tohandle all the as-yet-unprocessed bytes of the original data file 0220.Also in the special case of reading from the beginning of the file, aflag is set to indicate that content of this original data file 0220 hasbeen depleted.

[0227] If replenishing the original data buffer 1612 is successful instep 1920, processing returns to step 1820.

[0228] Reading and positioning errors in step 1920 are fatal. If a fatalerror occurs due to reading and positioning errors, the entire processis aborted and a final report 1780 is shown to the user.

[0229] Step 1930 is reached only if the original data file 0220 wasalready depleted when step 1910 was reached. Step 1930 determineswhether there is still one or more bytes in original data buffer 1612.If there are still 1 to 15 bytes (there will not be more), processingreturns to step 1820.

[0230] Step 1940 is undertaken if no bytes remain in the original databuffer 1612 after replenishment, step 1920. In this case, thatparticular original data file 0220 is closed and an action code 12 isrecorded (1512).

[0231] Step 1950 determines whether any more original data files 0220remain unprocessed in the user's selection list 0520.

[0232] Step 1960 is undertaken if more original data files 0220 remainto be processed. In this case, the next original data file 0220 in theselection list 0520 is opened. It is assigned the same input file streamnumber as the file that was just closed. An action code 11 is recorded;its trailer contains the offset in the index file 0260 that will applyto the newly opened original data file 0220. The last 2,048 bytes of theoriginal data file 0220 (or all bytes if the original data file 0220 isunder 2,048 bytes in length) are read into the same original data buffer1612. Since all the information is on hand for this new file, a recordis made in the index file 0260 . . . the directory entry 1110 if thathas changed, the file name 1120, the input stream number 1131, the timeand date stamp 1132, the file size in bytes 1133, and the offset of theapplicable directory location 1134 within this index file 0260. Controlthen passes back to step 1820.

[0233] Step 1970 is reached when there are no bytes left in the currentoriginal data buffer 1612 and there are no further original data files0220 in the user's selection list 0520. Step 1970 sets a flag that theinput stream is no longer inactive. This portion of logic is reached amaximum of sixteen times in one fragmentation processing run. Thishappens only in the latter stages of the run.

[0234] Step 1980 checks whether any file input streams at all remainopen. If there are, processing returns to step 1820.

[0235] Step 1990 is reached if there are no remaining active inputstreams. In step 1990, a flag is set to indicate that no further inputdata remains. Control passes to step 1820 and in this one special case,will pass next to step 1750, finalizing composite files.

[0236]FIG. 20 is an expansion of finalizing a fragment heap, step 1870.

[0237] Normally, step 2010 is to pad the unused zero to 15 bytes at theend of the designated fragment heap 1651 with random bytes out to 65,536bytes. In the event that all data has been used and there will be nofurther fragments, 0 to 1,023 random bytes are added, exactly enough toconvert the fragment heap 1651 into a composite segment 1652 whoseactive size is a multiple of 1,024 bytes.

[0238] Step 2020 is to apply camouflage to the composite segment 1652.The purpose is to remove any possibility of patterns appearing within acomposite segment 1652 of a composite file 0250. An action code 91(1591) series of exclusive OR operations is executed for some randomnumber of steps starting at a random point in the currently activesection of the random table buffer 1630. See 1591 action step 91 fordetail and also see “HandleFragFiles.cpp” in the appendix for animplementation. The camouflage buffer 1680 is used as a source of bytesfor exclusive OR operations in random patterns across the compositesegment 1652. An action code 91 is recorded with its beginning andterminating offsets within the currently active section of the randomtable buffer 1630.

[0239] Step 2030 involves writing an action code 21 (1521) to indicateclosure of the composite segment 1652. The first three trailer items—twobyte size of the composite segment 1652 in bytes prior to randompadding, one byte value 0 . . . 119 which specifies the composite file0250 to which the composite segment 1652 is written, and a one bytevalue 0 . . . 15 which specifies the fragment heap 1651 from which thecomposite segment 1652 was created.

[0240] Step 2040 is to write a dummy action code 22 with the fourthtrailer for action code 21 (1521), the offset in multiples of 1,024 atwhich the composite segment 1652 begins within the composite file 0250.Action code 22 is needed during fragmentation 1740 because at this stagethe trailer width is fixed at four bytes. This restriction is liftedlater when the reconstitution plan 1270 is created in steps 2130 and2140.

[0241] Step 2050 is a test to determine if all eligible composite files0250 have been written to disk. This test takes into consideration thesetting of the maximum count “MaxCtPvtFiles” within intermediate objectsgroup 1660, in the range 110 to 120. If not all file names have beenused, the current segment is written in step 2060 to a new file assignedthe next composite file name in sequence. Otherwise, step 2070 isperformed, in which the composite segment 1652 is appended to the nextavailable composite file 0250 in round robin order.

[0242] Step 2080 is to check the status of the camouflage buffer 1680.When the first of all the composite segments 1652 is written out to thefirst composite file 0250, the camouflage buffer 1680 contains only acopy of the first random table 0230. This is swapped out in a step 2085in the first instance that a composite segment 1652 contains a fullcomplement of 65,536 bytes. At this point, the camouflage buffer 1680 isfilled with the content of the first composite segment 1652 that hasjust been written out in step 2060; this is recorded as an action code41 (1541). Thereafter, on a random basis (one chance say in four), instep 2085 swap the camouflage buffer content 1680 by overwriting it withthe initial 65,536 bytes of the composite file 0250 associated with thelatest sector just written out in step 2060 or 2070. In each swap 2085,two records are added to the temporary file 1690 . . . an action code 42(1542) to “close” the old camouflage buffer content 1680 and an actioncode 41 (1541) to record the new.

[0243] In step 2090 the fragment heap 1651 is reinitiated by resettingthe pointers so that the fragment heap 1651 can receive new entriesstarting at its beginning.

[0244] Recall that steps 2010 through 2090 are detail that are enteredinto only when step 1860 revealed that there was not enough spaceremaining in the fragment heap 1651 to receive the latest fragment 1620.

[0245]FIG. 21 expands upon step 1770, building a reconstitution file0270. This is reached only after all processing within FIGS. 18, 19, and20 has been exhausted. The objective at this point is to create areconstitution file 0270 containing all information needed to retrievethe original data files 0220 in the future. This reconstitution file0270 will be disguised and encrypted so that it can be used only by thecomputer that created it.

[0246] Step 2110 is to create the reconstitution header 1250. Thestructure in FIG. 13 is sufficient to guide construction of the header.The first portion of “BuildReconFile.cpp” in the appendix illustrates astraight forward implementation of this step.

[0247] Step 2120 is to create the reconstitution main body 1260. Allcomponents for the body are described in FIG. 14. Their content is inRAM in final form, so they are simply appended as the next part of thereconstitution file 0270. Again, “BuildReconFile.cpp” provides a usefulillustration.

[0248] Step 2130 lays the groundwork to cycle through all action codesin reverse order. During fragmentation 1740, all actions were recordedin a temporary file 1690 in fixed width format—one byte action codefollowed by the trailer in four byte form. These five byte segments mustbe read in reverse order. Since the full size is known, a buffer can beallocated dynamically. The entire temporary file is read into thisbuffer. A pointer is set to the end of this buffer.

[0249] Step 2140 involves reading the action codes with their trailersin reverse order, copying the code, and compressing integers orotherwise processing the trailer in a way that depends on the particularaction code. The result is appended, one action code at a time, onto theend of the reconstitution file 0270. The totality of these action codeswith their processed and/or compressed trailers constitute thereconstitution plan 1270. Specific processing of the action codesfollows.

[0250] Step 2141 applies to action codes 01 and 91 (1501 and 1591). Thefour byte trailer, consisting of two 16 bit offsets, is copied withoutchange.

[0251] Step 2142 applies to action code 02 (1502). The first three bytesare copied, and the fourth byte is dropped.

[0252] Step 2143 applies to dummy action code 22 (1522). The first twobytes are retained in memory in preparation for the action code 21 whichwill immediately follow. There is no further action with dummy actioncode 22.

[0253] Step 2144 creates a four integer trailer with five or more bytesfor an action code 21 (1521). Full detail and an example are provided in1521 above.

[0254] Step 2145 applies to action code 13 (1513). The stream number isreduced to a one byte compressed integer trailer.

[0255] In step 2146, all remaining action codes (1511, 1512, 1531, 1532,1541, 1542) have their trailers reduced to one compressed integer.

[0256] Step 2150 is undertaken when all action codes and their trailershave been processed to complete the reconstitution plan 1270. Step 2150is to disguise the completed reconstitution file 0270 in a way thatmakes it accessible to only the computer which privatized the currentset of original data files 0220. The implementation of step 2150 dependson the computer identification system that is used in conjunction withthe system and method to privatize computer data. See computeridentifier 0922.

[0257] Step 2160 is to encrypt the entire reconstitution file using abroadly respected cryptographic algorithm. A definitive choice isoutside the purview of this patent application. Recall that thereconstitution file 0270 is normally withheld or distributed only in amost guarded manner 1220. The intent of encryption is to add anotherlayer of protection, should the reconstitution file fall into unfriendlyhands. The standard reference work on encryption is Bruce Schneier,Applied Cryptography, 2nd edition, New York: John Wiley and Sons, 1996.In the first Windows implementation of the method to privatize computerdata 0110, the selected technique was GOST (Soviet military encryptionthat came into public domain with the fall of the Soviet Union). A 32bit key was derived from the 15 random bytes 1310 included at thebeginning of the reconstitution header. Calculating a key from randombytes is not as secure as a public key/private key protocol; othermethods might be considered as networking connectivity improves in thefuture. Another significant factor in the choice of encryptionmethodology (at least for US citizens) is evolution of regulations ofthe Bureau of Export Administration (US Department of Commerce). Recallthat the reconstitution file 0270 has been designed to be quite smallrelative to the composite files 0250. Because the intensive computationrequired for encryption is applied to a relatively small entity, theuser does not experience the delays to be expected when encrypting largequantities of data.

[0258]2170 is the last step in FIG. 10. The disguised and encryptedreconstitution file 0270 is named as in 0320, 0451, and 0450, andwritten out to hard disk. For the sake of increased security, there isno automatic transfer of the reconstitution file 0270 to Internetlocations.

[0259] This completes all aspects of processing to privatize data.

[0260]FIGS. 22, 23, and 24 demonstrate an implementation of the supportprocedure to share access 0120 to privacy protected archives 0261,whether for recovery on a backup computer or for deliberate distributionof rights to specific other computers. The distribution procedure is notessential to the system and method to privatize computer data. But itprovides an attractive means to get privacy protected informationquickly to anywhere in the world, taking advantage of the nature of theInternet. To repeat from above: The Internet appears very public, yet itis an excellent hiding place for composite files 0250 located underobscure directory and subdirectory names. An authorized person equippedwith a reconstitution file 0270 tailored to his/her computer plus thecorrect password 0330 could reconstitute data hidden on the Internet. Heor she does not even need to know where the information is; thereconstitution file 0270 holds all the relevant information. Thus thesystem and method forms a basis for “private distribution” that isquick, accurate, and totally independent of geography (location in theworld).

[0261]FIG. 22 is technically not part of this patent application. Itdemonstrates a support process that facilitates granting access to othercomputers. The viewpoint in FIG. 22 is that of the person requestingaccess to one or more privacy protected archives 0261.

[0262] Note 2210: This capability does depend on a computeridentification system of some sort. This technology as noted above (0922and 0923) is outside the purview of this patent application. Assumesimply that there is a means of reliably identifying the computer thatis operating the program 0930, and that users can exchange computerssignature files 0923 that are self-authenticating.

[0263] Note 2220: The screen image shown in FIG. 22 is from a productcalled “Secure Software Rental” by Marpex Inc. (also the originator ofthe system and method to privatize computer files 0110). This screenimage is viewed on the computer of the person who requests access to oneor more privacy protected archives 0261.

[0264] In step 2230, fill in a time span over which the signature filecreated here is to be valid. A default value of 60 days, 0 hours, and 0minutes is deemed reasonable.

[0265] Step 2240, an “in response to” input, may be left blank.

[0266] Step 2250 should start with browsing to a location in which thesignature file is to be placed. Then give a name for the signature file.A suffix “.XPM” will be added automatically.

[0267] Clicking the “save signature” button initiates a process 2260,which creates a computer signature file 0943. This system produces a1,260 byte signature that uniquely identifies the computer without usingdata from any files and without any information about the user of thecomputer or about any organizations. It contains material that can beused later to disguise a reconstitution file 0270 so that it can be usedonly by this requesting computer and by no other.

[0268] In step 2270, the requester transmits the signature file 0943 bysome means (possibly email attachment) to the author of the desiredprivacy protected archive(s) 0261.

[0269]FIG. 23 presents the first of two screens used for input by theowner of a master or backup copy of a reconstitution file 0270. Theobjective is to share access to one or more privacy protected archives0261 with selected persons on computers for which those selected personshave submitted signature files 0943. These signature files 0943 arecollected on the author's hard drive. If the Secure Software Rentalversion is used, the signature files are placed in a directory called“Marpex” in the drive on which Windows is installed.

[0270] Step 2310 is to identify the privacy protected archive 0261 forwhich access is to be shared. This is done by browsing and selecting thereconstitution file 0270 (or first reconstitution file if multiple passcascading fragmentation 0362 has been used).

[0271] Step 2320 is to enter the valid password 0330 for thatreconstitution file 0270.

[0272] Step 2330 is to select the rights to be assigned to the newversion of the reconstitution file 0270, whether backup 1212 ordistribution 1213. Backup versions 1212 have considerably more scope,and should only be given to trusted persons.

[0273] Step 2340 is to select one signature file 0943 at a time.

[0274] These signature files 0943 are incorporated into a list 2350,which is displayed in the lower half of the screen image. This listshould contain signature files 0943 only for computers and users thatare to be granted authorization.

[0275] A signature file 0943 name 2351 normally corresponds to the name2250 given by the requester. Built into the signature file 0943 is amongother things an eight byte computer ID 2352; see 0922.

[0276] A delete button 2360 is available to remove a highlighted entryfrom the list 2350.

[0277] Pressing the “next” button 2370 initiates a brief process tovalidate that the current computer 0920 has rights to the selectedreconstitution file (0270 and 2310), that the reconstitution file type1320 is either Master or Backup, and that the password 2320 matches thepassword 0330 in the file. After validation, control passes to FIG. 24.

[0278] The steps in FIG. 24 allow the author to set passwords to bebuilt into new copies of the reconstitution file 0270 and 2310.

[0279] In step 2410, specify a signature file 2250 from the list 2350.

[0280] In step 2420, specify a password and confirm it.

[0281] Step 2430 provides an option to assign the same password to allnew reconstitution files that will be constructed in the next step.

[0282] In step 2440, the author creates new reconstitution file(s), onefor each signature file which is to be granted access. The underlyingsteps are (a) to undo the encryption of step 2160, (b) remove theauthor-computer-specific disguise of step 2150, (c) replace the computeridentifier field 1330, (d) change the reconstitution file type 1320 toeither “B” backup or “D” distribution, (e) replace the password 1340with the selection 2430, (f) replace the disguise, now with one based onthe computer signature file for the target requester's computer, and (g)encrypt again as in step 2160. In the Windows implementation, each newreconstitution file 0270 was given the same name as the original; thiswas placed in a subdirectory named for the requester's signature file2250.

[0283] In step 2450, the author transmits the new reconstitution file(s)to the intended receivers by some appropriately secure means.

[0284] On receipt, the user is able to access the privacy protectedarchive using the procedure to reconstitute privatized data 0160 thathas been dispersed to Internet locations 0440.

[0285]FIG. 25 presents a support procedure 0130 to validate privacyprotected archives 0261. The objective is to ensure that the filesnecessary for reconstituting privatized data 0160 are accessible. Thisset of files is comprised of each and every composite file 0250, theindex file 0260, other reconstitution files 0270 if any resulting frommultiple pass cascading fragmentation 0362, and the applicable randomtables 0230. Any user with a reconstitution file 0270 and password 0330valid on the computer currently in use may validate the correspondingarchive 0261.

[0286] In step 2510, the user specifies the archive 0261 by browsing andselecting its reconstitution file 0270.

[0287] In step 2520, the user inputs the password 0330.

[0288] Step 2530 is to select among three types of validation. Theoptions are to check hard disk location only, check for sufficiency ofthe archive, or check for completeness of the archive. The hard diskrequirement limits the search for files to the working directory on thehard disk. Sufficiency requires that at least one copy of each filelisted above be found in one of the expected locations. Search is onhard disk first, then on the Internet at the indicated locations 0440.Note that random tables 0230 are required on hard disk. If any aremissing, the user should be told the location on the Internet from whichthe missing tables may be downloaded. Completeness of an archiverequires in addition that every Internet-dispersed file copy is in placein the prescribed location; reports on hard disk presence and Internetpresence may be separated since the user may not elect to copy all filesin from the Internet to hard disk.

[0289] The user then clicks on the “verify archive” button. The computerverifies that the current computer is eligible, and aborts procedure0130 with a report if the computer is not eligible. The selectedreconstitution file 0270 is presumed to be in the working directory0420.

[0290] Step 2540 occurs only if the program cannot find the randomtables. Step 2540 is to specify location of random tables 0230,typically through a standard browse and select procedure. This is thelast user input. Processing from this point forward is under theprogram's control.

[0291] Step 2550 is to check the presence of all needed random tables0230. This involves extracting the count 1380 of random tables and theassociated random table identifiers 1370. This list is compared with thenames of random table files 0230 present in the directory selected instep 2540 as the location of random tables. Deficiencies in randomtables 0230 will be reported in detail in step 2590, no matter what thereconstitution file type 1320.

[0292] Step 2560 is to check the presence of all composite files 0250.This involves passing through the list of composite file names 1440 andchecking first on hard disk in the working directory 2510 and, if thevalidation type 2530 is either Master or Backup, in the Internetlocations 0440.

[0293] Step 2570, checking the presence of the index file 0260, is asimplified version of step 2560. Only one file name is involved 1430. IfInternet locations are checked, it is for the first location only(locations, plural, if redundancy 0430 and completeness checking 2530both apply).

[0294] Step 2580 is to check whether cascading 0362 has been used. Thisis determined from count of cascades 1362 in the reconstitution header1250.

[0295] If cascading 0362 has been used, step 2581 checks for thepresence of the remaining reconstitution files named in 1421 and 1422.The search is limited to the hard disk working directory 2510; thereconstitution file 0270 holds no information on Internet-baseddispersion of reconstitution files 0270.

[0296] Step 2590 fulfils the purpose of validation . . . a report to theuser on the status of the privacy protected archive and the associatedfiles. First, missing random tables 0230 are listed. Then if thereconstitution file 0270 used to specify 2510 the archive is a master orbackup type 1320, remaining exact deficiencies should be reported. Thislist should list file names in all cases and Internet locations whereapplicable. If the specifying reconstitution file 0270 is a distributiontype 1320 only, the user is not entitled to names of files other thanrandom tables 0230, nor to hidden dispersion locations 0440. The user inthe latter case is simply advised to contact the author/publisherbecause the set of files is not complete.

[0297]FIG. 26 presents a support procedure to delete privacy protectedarchives (0140). In step 2610, the user specifies the archive 0261 whichis to be deleted. This is done by browsing and selecting itsreconstitution file 0270.

[0298] In step 2620 the password 0330 is entered. When the user clickson the “delete archive” button, rights to use the reconstitution file0270 are checked through both the computer identifier 0922 and thepassword 0330. If the selected reconstitution file 0270 has onlydistribution status 1320, all deletions will be limited to the hard diskonly.

[0299] The location of one reconstitution file 0270 has been determinedin step 2610. If multiple pass cascaded fragmentation 0362 has beenused, the program checks that the remaining reconstitution files aretogether in the same location with the named reconstitution file 0270.Note that random tables 0230 are not deleted since they may beassociated with other privacy protected archives 0261.

[0300] Step 2640 is to request confirmation that the user really wishesto delete all copies of composite files 0250, index file 0260, andreconstitution file(s) 0270. The process aborts if the user selects the“cancel” alternative.

[0301] Step 2650 is to delete the files. If Internet locations 1450 areinvolved, access to the Internet is required at this point. All copiesof composite files 0250 are deleted from hard disk in all cases, andfrom all Internet locations where there is master or backup status 1320.The same procedure is followed with copies of the index file 0260.Finally, the reconstitution file(s) are deleted.

[0302] Step 2660 is to report to the user either success or problemsencountered.

[0303]FIG. 27 provides detail on how to plan dispersion of privatizeddata 0150. This support procedure amounts to adding to and editing onedisguised file, “ILocate.dat” (0915).

[0304] When the user selects planning dispersion, step 2710 is to loadfile “ILocate.dat” into memory. This file is unlikely ever to exceed10,000 bytes.

[0305] Step 2720 is to decrypt the contents or to remove whateverdisguise has been applied. The disguise ideally should be computerspecific to preclude people taking advantage of stolen “ILocate.dat”files 0915.

[0306] Step 2730 is an option to select an existing entry in thedisplay. If this is done, the selection is highlighted.

[0307] Step 2740 is an option to delete a highlighted existing entry.

[0308] Step 2750 is to validate a highlighted existing entry. This step,if used, requires Internet access. This is a standard procedure.

[0309] Step 2760 is to add individual locations, one at a time. This isa less efficient, but more secure, alternative to step 2780.

[0310] Step 2770 is to edit locations, user names, and passwords alreadyon file in “ILocate.dat”.

[0311] Step 2780 is to select and add text files containing additionallocations, in the event the user has received file(s) containinglocations, user names, and passwords.

[0312] Step 2790 is to disguise the contents of the revised file priorto writing it out. If the computer identifier system used in conjunctionwith this system and method provides an appropriate computer identifier0922 and/or computer signature 0923, variations on an exclusive OR ofthe identifier or signature with the buffer content may be sufficient.

[0313] Step 2795 is to write contents of the buffer back into file“ILocate.dat”.

[0314] The advantage of these procedures is that they allow update andexpansion of the pool of Internet locations 0440 from which the programmay draw when the user specifies dispersion of the components of aprivacy protected archive 0261.

[0315]FIGS. 28, 29, and 30 deal with an essential support procedure,that of reconstituting privatized data 0160. This will typically be themost frequently used procedure associated with the system and method0110. Reconstitution logic amounts to a careful reversal of the steps0290 that were used in privatizing the original data files 0220 in thefirst place.

[0316]FIG. 28 involves two elements of data entry.

[0317] In step 2810, the user specifies the target archive 0261 bybrowsing and selecting its reconstitution file 0270.

[0318] In step 2820 the password 0330 is entered.

[0319] When in step 2830 the user clicks on the “Next” button, rights touse the reconstitution file 0270 are checked through both the computeridentifier 0922 and the password 0330. The location of thereconstitution file is presumed to be the working directory 0420.

[0320]FIG. 29 involves three more elements of data entry.

[0321] Step 2910 permits recovery to an alternative drive. Directoriesand subdirectories not present will be created on whatever drive isselected.

[0322] Step 2920 is to specify whether all files or only a subset are tobe retrieved.

[0323] Step 2930 is to indicate whether older files may be permitted tooverwrite newer copies in the target location.

[0324] The label on the button is “Next” changes to “Retrieve” if in2920 all files are to be reconstituted. By whatever name, the userclicks on this button to proceed.

[0325] The screen image in FIG. 30 appears only if the user specified instep 2920 that a subset needs to be selected.

[0326] In step 3010, the program executes steps 2540 through 2581 tovalidate the archive 0261 on a sufficiency basis 2530. If essentialfiles are missing, the reconstitution procedure 0160 is aborted and theuser is informed of the deficiencies. If it is only random tables 0230that are missing, the user is invited to download copies from theInternet.

[0327] In step 3020 the program assembles one copy of each file in theworking directory 0420 on hard disk. Failure in any part leads toaborting the procedure and advising the user.

[0328] If the user has elected 2920 to retrieve only a subset of theoriginal data files 0220, step 3030 provides opportunity to select thefiles to be retrieved. The display list is created directly from thecontent of the index file 0260.

[0329] In the three steps “select directory” 3031, “select file names”3032, and “selection flag” 3033 the interface should mimic thecorresponding actions in FIG. 05. This reduces the learning curve andany confusion. For example, directories may be shown in a left panel,with files from the highlighted directory or subdirectory listed in aright panel. The console version in the microfiche appendix lacks theelegance of the later Windows version, but it does illustrate one ofmany possible marking techniques to show which files the user hasselected for retrieval.

[0330] Step 3040, a process to reconstitute files, is then launched.This is a direct pass through the reconstitution plan 1270. If the userselected all original data files 0220, then every action is processed.If the user selected a subset of files, a little work may be saved byindicating that a current output is inactive. A second saving comes whenall requested files have been recovered; if there are more actions, theymay be disregarded at this point. Simply close all files and report.

[0331] Anyone capable of implementing the privatizing process will findthat retrieval is straight-forward. Much of the source code can bere-used. An efficient and fully functional source code example of thereconstitution sequence is included in the appendix. The heart of a C orC++ language implementation is a switch statement that responds to eachaction code in turn, starting from the beginning of the reconstitutionplan and proceeding code by code. See in the appendix the function“DoReconActions.cpp” and the various “DoAct####.cpp” sub-functions. Whenthe last action code has been processed, all original data files 0220are in place on the intended drive in the same directory structure inwhich they were originally found.

[0332] Differences between fragmentation 1740 and reconstitution 0160 inall cases serve to speed up and to simplify reconstitution. For example,in reconstitution, lengths of all buffers are known once thereconstitution header 1250 has been interpreted; therefore, memorymanagement is simpler. All use of the reconstitution file 0270 is inread-only mode; nothing has to be created other than the original datafiles 0220. These original data files 0220 are written out to disk in aforward direction, directly as the fragments 1620 are processed.

[0333] Step 3050 is either to report success or to list error conditionsencountered.

[0334]FIG. 31 presents extensions 0170 to the system and method toprivatize computer data.

[0335] Extension 3110 consolidates all files within a privacy protectedarchive 0261 within a single file. This serves a need for simplicity onbehalf of persons who wish to retain output from the system and methodon hard disk or on a backup medium, without concern for proliferation offiles. This objective may be achieved with a simple wrapper for theconsolidated output file . . . a listing at the beginning of the names,sizes, and offsets of each embedded file, followed by the named filesappended one after another. For security reasons, the user should begiven the option whether the reconstitution file or files 0270 is/are tobe included within the consolidated file. Security is greater if theyare separate; convenience is greater if they are placed together.

[0336] Extension 3120 focuses on privatizing a single original data file0220. There may be circumstances in which it is convenient for the userto have one privacy protected archive for one original data file 0220.

[0337] The method in extension 3120 is to mathematically break apart thesingle original data file 0220 into between three and 16 files, eachroughly (but not precisely) the same size. A small “script” file shouldbe created giving the original file name with its size and time-datestamp, plus a breakdown of the temporary names, the size of eachtemporary file, and from where it was extracted in the original datafile 0220. This script file should be added to the other temporary filesas yet another input, with a name that flags it as an“implement-this-when-reconstituted” signal. From this point forward,fragmentation 1740 is carried out in the normal way, using the temporaryfiles as the input. Reconstitution 0160 is also normal. The onlyadditional requirement is for the program to recognize at the end of theprocess that steps are to be carried out under the direction of one ofthe output files. Technically, all that is required is copying bytesunder the guidance of a script, assigning the consolidated result theoriginal name and time-date stamp, and deleting the temporary files andscript.

[0338] Extension 3130 is the addition of file compression. This is anatural feature to include where archives of any sort are to beconstructed. Standard techniques may be used; see for example James A.Storer, Data Compression: methods and theory, Rockville, Md.: ComputerScience Press, 1988. Compression is applied directly to the originaldata files 0220 after they have been selected by the user and beforethey are passed through the fragmentation process 1740. Decompression isapplied at the end of the reconstitution process 0160.

[0339] There are several advantages to compression in the context ofprivatizing computer data. The first is that cumulative size of theoutput may be reduced significantly, leading to savings in storage spaceand transmission time. The second is that time taken for compression isoffset by reduced time to fragment the smaller body of input. A third isthat compression is itself a useful way to obscure content and make itless vulnerable to data mining. The combination of compression and thesystem and method to privatize computer files 0110 provides furtherenhanced security.

[0340] Extension 3140 is to automate privatizing and reconstitution ofdesignated file types. To implement this system, the user must designatecertain file types by suffix as vulnerable data that should be routinelyprivatized. For example, all *.xls, all *.doc, all *.rtf, and all *.igxfiles might be considered as candidates for automatic privatizing. Inroutine use, a worker at the end of the day would need to click oneoption, to search for and privatize all files of the designated types.The program would be set to scan the entire hard disk for each file witha designated suffix. Management of the result is simplest if extension3110 (all results in a single file) and extension 3120 (input as asingle file) are applied, so that each input file is handledindependently. The resulting single file outputs should be named withthe original name, but now with a suffix that denotes it as a privatizedversion. Reconstitution files 0270 may be embedded (greaterconvenience), sent to a specified directory for convenient offloading(greater security), or aggregated in one indexed mass of reconstitutionfiles, which could itself be privatized.

[0341] The same worker might the next morning either specify particularfiles to be reconstituted or with one click and a date selection orderup all privatized files after a certain date to be automaticallyreconstituted.

[0342] Extension 3140 would be especially helpful to users who travelwith laptop computers. This would reduce vulnerability to data theft toa minimum.

[0343] Extension 3150 is to standardize within an operating system themethod to privatize computer data. This might be implemented as avariation on extension 3140, such that original data files 0220 deemedvulnerable by the user are routinely privatized whenever they are not inuse. An operating system can unobtrusively privatize and reconstitutefiles when they are to be opened or when they have been closed by otherapplication software. Extension 3150 would maximize convenience andsecurity both at the same time.

[0344] Extension 3160 is to cause one reconstitution file to be usedacross varied archives. This carries a particular advantage where datais being privately distributed. A new reconstitution file need not betransmitted; the intended recipient needs only to know whichreconstitution file among a supply of them is to be used for aparticular archive. Obviously, the stock of reconstitution files must behandled in a very guarded way 1220; otherwise, a security gap would beopened. To implement this extension, the temporary fragmentation stepsfile 1690 should not be erased. In addition, the differences in filesizes must be handled, either by random padding out to original sizes,or by scripting the breakup and/or consolidation of new input files,changing their names and sizes to correspond to those of the input filesused when the temporary fragmentation steps file 1690 was first created.

[0345] Extension 3170 is called dynamic dispersion. Its application isto secure Internet data. This is a variation of the system and method toprivatize files that takes further advantage of the ability to hidefiles on the Internet. Instead of multiple composite files as output,there need to be only one. Extension 3120 (input in a single file)together with compression 3130 are applied to those parts of an Internetpage or pages that are to be accessible only to selected receivers. Theoutput from privatizing 1740 is run through a further “alphaclad” step.This is a standard technique in which each six bits of a file arereplaced by one of 64 characters (A through Z, a through z, 0 through 9,and two punctuation characters). These 64 characters are arranged in arandom order; this string must be accessible to a computer that isauthorized to access the original data.

[0346] Dispersion is not in this case of the main body of data; that ispublic. It is embedded within HTML pages that can be viewed over theInternet. The person without authorization sees privatized passages aslines of scrambled upper and lower case characters intermingled withdigits and a couple of punctuation characters. By Internet display, 95percent or more of the required data is made available to the user byconventional Internet browser techniques.

[0347] Dispersion is of three items, combined as one . . . thereconstitution file 0270, the decompression table 3130 if applicable,and the 64 byte alphaclad string. This information is hidden somewhereon the Internet with an obscure file name in an obscure subdirectory.Security of Internet data under this regime is extremely high. There arefor example 64 factorial different alphaclad arrangements (64 ways ofselecting the first, 63 ways of selecting the second, etc.) . . . anextremely high number. It has already been established that without thereconstitution file the data is impenetrable. The decompression tableadds yet another measure of security. The person without these threesets of information is totally unable to crack data that is openlydisplayed on the Internet.

[0348] Dispersion is dynamic in that the name and location of the hiddendata change at random time intervals, with shorter periods for highlysensitive data. The data in alphaclad form and the associatedreconstitution file may also be completely replaced at random times. Theonly thing that an astute viewer on the Internet would notice is thatthe scramble of letters, digits, etc. has changed from what it was on aprevious viewing.

[0349] A variety of techniques may be applied to make the name andlocation of the hidden data accessible to an authorized viewer. Theselection of technique depends on the trade-off between convenience andsecurity, and on the swiftness of change of the data. Note thatinformation posted on the Internet under “dynamic dispersion for secureInternet data 3170” may be highly volatile. The author/publisher canchange content and re-privatize it many times per day.

[0350] To briefly summarize the foregoing, a system for privatizingcomputer comprises a plurality of original data files 0220, a pluralityof original data storage structures (original data buffers 1612), aplurality of fragment storage structures (fragment heaps 1651), aplurality of composite files 0250, and at least two hidden locations forstoring the plurality of composite files. Data from each of the originaldata files is read into a corresponding original data storage structurein reverse sequential order. Data in the storage structures isfragmented into fragments, where each of said fragments is read from oneof the plurality of original data storage structures and written intoone of the said plurality of fragment storage structures, forminginterspersed fragments. To be more precise, one of the plurality oforiginal data storage structures is selected randomly. A random sizefragment is read from the end (reverse order) of that original datastorage structure, disguised by multiple techniques, and written intothe next available fragment storage structure in round robin order.After any one of said fragment storage structures is filled, it ispadded to become a composite segment which is then camouflaged andwritten to one of the plurality of composite files. The fragment storagestructure is reinitiated after said interspersed fragments are writtento the composite files. Once all the data has been fragmented,disguised, interspersed and formed into new composite files, thecomposite files are sent to at least two hidden dispersion locations.

[0351] The system further comprises a reconstitution file having thereconstitution plan. The reconstitution plan comprises the locations ofthe dispersed composite files and the order of said fragments toreconstruct the plurality of original data files. The plan also guidesthe identification of fragments, the removal of their disguises, andtheir allocation to correct locations in the reconstituted versions ofthe original data files. Fragment disguising is performed through aplurality of high speed mathematical manipulations, guided by parametersdetermined by a fragment handling guide which starts at a seeminglyrandom starting point in a randomly selected table consisting of randombytes.

[0352] Naturally, this method and system is not limited to any specificcomputer media. Further, any apparatus, such as, but not limited to, acomputer, CD-ROM, floppy disk or hard disk, or similar apparatus mayhold the software for privatizing computer data.

[0353] The invention has been described with reference to preferredembodiment. Obviously, modifications and alterations will occur toothers upon a reading and understanding of this specification. It isintended to include all such modifications and alternations in so far asthey come within the scope of the appended claims or the equivalencethereof.

What is claimed is:
 1. A method for privatizing computer data,comprising the steps of: providing at least one original data file;fragmenting said original data file into fragments; creating at leastone composite file by interspersing said fragments; creating areconstitution file, said reconstitution file comprising areconstitution plan; and dispersing said at least one composite file toat least one location.
 2. The method for privatizing computer data ofclaim 1, wherein creating at least one composite file, further comprisesthe step of: disguising said fragments.
 3. The method for privatizingcomputer data of claim 2, wherein disguising said fragments furthercomprises the step of: disguising said fragment through at least twomathematical techniques.
 4. The method for privatizing computer data ofclaim 2, wherein said step of disguising said fragments furthercomprises the steps of: accessing a random table, said random tablebeing a randomized plurality of data bytes; and, accessing a fragmenthandling guide, said fragment handling guide comprising a predeterminednumber of successive bytes from said random table.
 5. The method forprivatizing computer data of claim 4, wherein said step of accessingsaid fragment handling guide comprises the step of: determining astarting point in said random table.
 6. A method for privatizingcomputer data comprising the steps of: providing a plurality of originaldata files, each of said original data files being a binary stream;fragmenting said plurality of original data files into fragments;creating at least two composite files by interspersing said fragments;creating a reconstitution file having a reconstitution plan; anddispersing said at least two composite files to at least two differentlocations.
 7. The method for privatizing computer data of claim 6,wherein fragmenting said plurality of original data files intofragments, further comprises the steps of: processing original data filematters; processing random table matters; obtaining a fragment handlingguide; interpreting said fragment handling guide; obtaining one of saidfragments; providing space in a fragment storage structure for said oneof said fragments; disguising said one of said fragments; writing saiddisguised one of said fragments to said fragment storage structure so asto intersperse said disguised one of said fragments with other fragmentsstored therein; writing said interspersed fragments to said compositefile when said fragment storage structure is filled with saidinterspersed fragments; recording an action taken on said fragment tosaid reconstitution file; and repeating said steps for fragmenting saiddata files into fragments until no input data remains in said originaldata files.
 8. The method for privatizing computer data of claim 7,further comprising the step of: reinitiating said fragment storagestructure after said interspersed fragments are written to saidcomposite file.
 9. The method for privatizing computer data of claim 7,wherein the step of processing original data file matters furthercomprises the step of: finalizing input matters when said input databeing stored in one of a plurality of original data storage structuresexceeds or equals a threshold value.
 10. The method for privatizingcomputer data of claim 7, wherein processing data input file mattersfurther comprises the step of: replenishing an original data storagestructure when input data being stored in said original data storagestructure is less than a threshold value.
 11. The method for privatizingcomputer data of claim 10, further comprising the step of: closing oneof said plurality of original data files if no input data is beingstored in said corresponding original data storage structure.
 12. Themethod for privatizing computer data of claim 11, further comprising thestep of: marking said closed original data file inactive if no inputdata exists therein.
 13. The method for privatizing computer data ofclaim 7, wherein of processing random table matters comprises the stepof: accessing a random table having a predetermined number of randomizedbytes, wherein the first two bytes are binary integers identifying saidrandom table.
 14. The method for privatizing computer data of claim 7,wherein obtaining one of said fragments further comprises the step of:reading and writing data from each of said plurality of original datafiles to a plurality of original data storage structures, said pluralityof original data storage structures corresponding to each of saidplurality of original data files, wherein said fragments are drawn fromeach of said original data storage structures.
 15. The method forprivatizing computer data of claim 14, wherein writing data from each ofsaid plurality of original data files to said plurality of original datastorage structures is performed in sequential order.
 16. The method forprivatizing computer data of claim 14, wherein writing said disguisedone of said fragments to said fragment storage structure so as tointersperse said disguised one of said fragments with other fragmentsstored therein comprises the steps of: reading and writing each of saidfragments from each original file data structure to one of a pluralityof fragment data storage structures, resulting in interspersedfragments; and reading and writing said interspersed fragments to saidcomposite files.
 17. The method for privatizing computer data of claim16, wherein said original data storage structures have an end, whereinwriting said disguised one of said fragments to said fragment storagestructure further comprises the steps of: selecting one of said originaldata storage structures randomly; drawing the next fragment in sequencefrom said end of said original data storage structure resulting in a newcurrent end; repositioning said new current end forward to the beginningof the just drawn fragment such that said fragments are drawn from saidoriginal data storage structures in a combined random and reverse order,said fragments being read into said corresponding fragment data storagestructures in a round robin order.
 18. The method for privatizingcomputer data of claim 7, wherein said step of disguising said one ofsaid fragments is performed through at least two mathematicaltechniques, said one of said fragments having a fragment length and astarting point in a random table, said fragment length and said startingpoint designated by said fragment handling guide.
 19. The method forprivatizing computer data of claim 6, wherein creating a reconstitutionfile, further comprises the steps of: creating a header with counts andoffsets; appending all location strings; appending names of all randomtables; appending all original data file names; appending all compositefiles names; compressing trailers; and writing actions with compressedtrailers in reverse order.
 20. A system for privatizing computer data,said system comprising: a plurality of original data files; a pluralityof fragment storage structures, said original data files beingfragmented into fragments, each of said fragments being read from one ofsaid plurality of original data files and written into one of saidplurality of fragment storage structures forming interspersed fragments;a plurality of composite files, wherein the interspersed fragments ofone of said fragment storage structure is written to one of saidcomposite files after each occurrence that one of said fragment storagestructures is filled; and at least two different storage locations. 21.The system for privatizing computer data of claim 20, said systemfurther comprising a plurality of original data storage structurescorresponding with each of said plurality of original data files, datafrom each of said original data files being read into one of saidcorresponding original file storage structures, said fragment being readfrom said original storage structure and written into said fragmentstorage structure.
 22. The system for privatizing computer data of claim21, wherein said fragments are read into said original storagestructures in sequential order.
 23. The system for privatizing computerdata of claim 20, wherein said fragments are written into said pluralityof fragment storage structures in reverse order.
 24. The system forprivatizing computer data of claim 20, wherein said fragment storagestructure is reinitiated after said interspersed fragments are writtento said composite files.
 25. The system for privatizing computer data ofclaim 20, said system further comprising a reconstitution plan adaptedto restore said fragments into said plurality of original data files.26. The system for privatizing computer data of claim 20, wherein saidfragments are disguised.
 27. The system for privatizing computer data ofclaim 26, wherein the system further comprises a random table fordisguising said fragments, said random table being a randomizedplurality of data bytes.
 28. The system for privatizing computer data ofclaim 27, wherein said disguising is performed by an operation having astarting point in said random table, said operation and starting pointbeing determined by a fragment handling guide.
 29. A computer readablemedium containing instructions for controlling a computer system toperform a method, the method comprising the steps of: providing aplurality of original data files; providing a plurality of fragmentstorage structures; providing a plurality of composite files; providingat least two locations for storing said plurality of composite files;fragmenting said original data files into fragments reading each of saidfragments from said plurality of original data files; writing each ofsaid fragments into one of said plurality of fragment storagestructures; forming interspersed fragments; filling said fragmentstorage structures with fragments; and, writing said interspersedfragments to said composite files.
 30. The computer readable medium ofclaim 29, the method further comprising the step of: providing aplurality of original data storage structures one of which correspondswith each of said plurality of original data files; reading and writingdata from each of said original data files into said correspondingoriginal file storage structures; and reading and writing said fragmentfrom said original storage structure into said fragment storagestructure.
 31. The computer readable medium of claim 29, wherein readingand writing data from each of said original data files into saidcorresponding original file storage structures further comprises thestep of: reading and writing said portions of original data files intosaid original storage structures progressively in reverse sequentialorder.
 32. The computer readable medium of claim 29, wherein reading andwriting said fragment from said original storage structure into saidoriginal file storage structure further comprises the steps of: randomlyselecting fragments of random length from the ends of the original filestorage structures; and reading and writing said fragments into saidplurality of fragment storage structures in round robin order.
 33. Thecomputer readable medium of claim 29, the method further comprising thestep of: reinitiating said fragment storage structure after saidinterspersed fragments are written to said composite files.
 34. Thecomputer readable medium of claim 29, the method further comprising thestep of: providing a reconstitution plan; and, retrieving said pluralityof dispersed composite files; and reordering said fragments toreconstruct said plurality of original data files.
 35. The computerreadable medium of claim 29, the method further comprising the step of:disguising said fragments.
 36. The computer readable medium of claim 35,wherein the step of disguising said fragments is determined by a randomtable, said random table being a randomized plurality of data bytes. 37.The computer readable medium of claim 36, wherein said step ofdisguising said fragments is performed by an operation having a startingpoint in said random table, said operation and starting point beingdetermined by a fragment handling guide.
 38. An apparatus, comprising:means for opening a plurality of original data files, each of saidoriginal data files being a binary stream; means for fragmenting saidplurality of original data files into fragments; means for creating atleast two composite files by interspersing said fragments; means forcreating a reconstitution file having a reconstitution plan; and meansfor dispersing said at least two composite files to at least twodifferent locations.
 39. The apparatus of claim 38, wherein means forfragmenting said plurality of original data files into fragments furthercomprises: means for processing original data file matters; means forprocessing random table matters; means for obtaining a fragment handlingguide; means for interpreting said fragment handling guide; means forobtaining one of said fragments; means for providing space in a fragmentstorage structure for said one of said fragments; means for disguisingsaid one of said fragments; means for writing said disguised one of saidfragments to said fragment storage structure so as to intersperse saiddisguised one of said fragments with other fragments stored therein;means for writing said interspersed fragments to said composite filewhen said fragment storage structure is filled with said interspersedfragments; means for recording an action taken on said fragment to saidreconstitution file; and means for repeating said steps for fragmentingsaid data files into fragments until no input data remains in saidoriginal data files.
 40. The apparatus of claim 39, further comprising:means for reinitiating said fragment storage structure after saidinterspersed fragments are written to said composite file.
 41. Theapparatus of claim 39, wherein means for processing original data filematters further comprises: means for finalizing input matters when saidinput data being stored in one of a plurality of original data storagestructures exceeds or equals a threshold value.
 42. The apparatus ofclaim 39, wherein means for processing original data file mattersfurther comprises: means for replenishing an original data storagestructure when input data being stored in said original data storagestructure is less than a threshold value.
 43. The apparatus of claim 42,further comprising: means for closing one of said plurality of originaldata files if no input data is being stored in said correspondingoriginal data storage structure.
 44. The apparatus of claim 43, furthercomprising: means for marking said closed original data file inactive ifno input data exists therein.
 45. The apparatus of claim 39, whereinsaid means for processing random table matters comprises: means foraccessing a random table having a predetermined number of randomizedbytes, wherein first two bytes are binary integers identifying saidrandom table.
 46. The apparatus of claim 39, wherein said means forobtaining one of said fragments further comprises: means for reading andwriting data from each of said plurality of original data files to acorresponding original data storage structure, wherein said fragmentsare drawn from each of said original data storage structures.
 47. Theapparatus of claim 46, wherein said means for writing data from one ofsaid plurality of original data files to its corresponding original datastorage structure is performed in sequential order from end to beginningof said original data file.
 48. The apparatus of claim 46, wherein saidmeans for writing said disguised one of said fragments to said fragmentstorage structure so as to intersperse said disguised one of saidfragments with other fragments stored therein comprises: means forreading and writing each of said fragments from one of said originalfile data structures to one of a plurality of fragment data storagestructures, resulting in interspersed fragments, said original file datastructure being randomly selected; means for reading and writing saidinterspersed fragments to said composite files.
 49. The apparatus ofclaim 48, wherein each of said original data storage structurescomprises an end and each of said fragment data storage structurescomprises an end, wherein each of said fragments is drawn from said endof said randomly selected original data storage structure, and each ofsaid fragments is read successively into said end of one of saidfragment data storage structures in round robin order.
 50. The apparatusof claim 39, wherein said means for disguising said one of saidfragments is performed through an exclusive OR operation, said one ofsaid fragments having a fragment length and a starting point in a randomtable, said fragment length and said starting point designated by saidfragment handling guide.
 51. The apparatus of claim 38, wherein creatinga reconstitution file, further comprises: means for creating a headerwith counts and offsets; means for appending all location strings; meansfor appending all random table names; means for appending original datafile names; means for appending composite files names; means forcompressing trailers; and means for writing actions each with itscompressed trailer in reverse order.